BSides Perth 2021 Day 2
Show transcript [en]
[Music] [Music]
[Music]
[Music]
[Music]
[Music]
[Music] [Music] [Music]
[Music]
[Music] [Music] [Music]
[Music]
[Music]
[Music]
do
[Music]
[Music] [Music] [Music]
[Music]
[Music] [Music] [Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music] [Music]
[Music]
[Music] [Music]
[Music]
[Music]
[Music]
[Music]
[Music] [Music] [Music]
[Music]
[Music] [Music] [Music]
[Music]
[Music]
[Music]
[Music]
[Music]
so
[Music]
[Music] do [Music]
[Music]
[Music]
[Music] [Music] [Music]
[Music]
[Music] [Music]
[Music]
[Music]
[Music]
[Music]
[Music] [Music] [Music]
[Music]
[Music] [Music] [Music]
[Music]
[Music]
[Music]
[Music]
[Music]
do
[Music]
[Music]
[Music]
[Music] do [Music]
so [Music]
[Music] [Music] [Music]
[Music]
[Music] [Music] uh good morning welcome to day two discord channel can you hear me come on ping ping
yeah a little bit slow on the uptake they haven't got the coffee van like we have um cool welcome back a few sore heads this morning the bar tab as expected did not last very long at all uh that got consumed pretty quickly who knew free beer just went so quick thought that there'd still be some left today a few points of note make sure that you have tagged
um plans for today yeah the coffee vans here till about lunch time that's all pretty cool uh donut delivery arrived before most of you this morning and they've been hidden away and locked away stopped leaving a little more breathing little monkeys getting your hands on them before the morning break um and the usual pizzas and everything will be coming through there is still lost property waiting to be collected i still have a very nice pair of headphones which i will claim if they don't get picked up uh we've got some prescription sunnies as well um nobody really nobody really had a clue at the quiz last night as to the volleys names and what they actually
bring to the party so i'm going to take two minutes just to run through who's there so sneaky sitting over there on the video myself and dolls are obviously the three organizers guy that runs the lock picking uh evil demons he is over there um he goes away and he spends a ridiculous amount of his own money on locks and checks and everything builds all of that stuff together puts a lot of competition everything together and he does that every year for us uh his amazing partner kerry is here as well if you've been to the bathrooms and used them here and you've seen the bowls which you've got the headache tablets and the hygiene products and all of
those kind of bits in that's him as well they go away and they put those things together so that everyone has a really good experience here and they can do those and they also spent probably the last three months making all the badges that you can get to wear to say whether you want your photo taken or not and your preferred pronouns and everything so huge amount of effort goes in um lauren is here it's a first year kind of volleying for both sides and she's smashing it out the park snaids we don't know where he hibernates through the year but he kind of comes out about three days before b side to see if we
need a hand and smashes everything out of the park so he's awesome photo monkey down the front rami is awesome he goes around that does the things that we just cannot find the time to do which is go around check that everyone's having a good time take some awesome picks uh my amazing better half um just comes through every year and just helps me out with so much stuff and keeps the stress levels uh pretty low as low as the can be and she's probably also spent the last two weeks packing your swag bags and my daughter who you've seen around the place as well she sorts out all the stickers and all the goodies and make sure that you all get
some good swag in those bags so be sure to say hello and thank you they give an amazing amount of time to make this a success so that you'll get the best out of it that you can so uh so we've got adam we've got kerry we've got sneaky we've got myself we've got dolls we've got brooke we've got caitlin we've got lauren we've got snades and toby's the big guy that comes up he's been making sure you all stay hydrated by going out and getting like 50 cottons of water at a time on that note we're creating an awful amount of recycling a landfill so there are water fountains all around if you can refill
your bottles we do have bottles of water if you lose them misplace them put them down next to six others and you're not sure which one's yours um grab one if you need to or refill from the fountains uh we filled the bins in no time at all and we had to get a cleaning run out yesterday so help us out with those things um what else yeah lost probably i've mentioned ctf uh first place is a little bit ahead and then there's a lot of contention for the next two or three places so if you are in that keep chugging away at it saw a lot of communications going around on the ctf and some challenges and stuff yesterday
if you have awesome challenges or you think you can do better contribute back and create those challenges speak to fifth domain speak to ourselves and let's get those back in so that everybody can learn and develop from those challenges that's what they're here for winning is not everything um we are a community and we want to try and help each other to be successful so if you can build some cool challenges that you think will be a learning experience for somebody else do it give something back um there are a few tweaks to the schedule today so one of the speakers has come up and said he's actually a little cautious now about putting his out live stream
for those listening at home and put my glasses on so i can actually read my phone screen because i'm at that funny age um let's have a look so where we cannot live stream things uh we do have a couple of talks that we're going to throw in so our plan at this point in time we will still get emmanuel's talk over here in person we will throw out an additional talk from evil d one of the volleys just on a little bit of a play badge that he's put together um that's about a 10 or 15 minute talk in place of a 20 minute in person talk that we've got over here um the android pin brute forcing on as
well we pulled that one down overnight um the plan with that one is at lunch time here because there is no slack space in the schedule at all um obviously for people in the eastern states that's not your lunch time so instead of us just cutting away for a break for lunch we're going to throw that one straight out onto the live stream so that you've got something to watch over in the eastern states while you're supporting your coffees and your beers and people over here can come and sit in and watch it it's recorded anyway so this stuff's going to go on our youtube channel and you'll be able to see that afterwards and please the
social media activities were uh just crazy yesterday so keep smashing the hashtag followers if you've got questions discord is probably the best place to get through to as quickly if you need answers to things um but let's see those photos from everybody kind of enjoying the conference uh and on that note i reckon i'm ready to hand over to james uh sunday's keynote mr bromberger take it over tell us all about your talk thank you very much good morning everybody i'm going to start with um the serious bit first and then i'll get rid of that very quickly so i firstly want to thank the organisers because it's great to be back at a conference in
person i was having friends from overseas saying it had been years since they'd seen first their conference and secondly a conference with no mask so um it's fantastic to be here i do want to acknowledge the traditional owners of the land and which we're meeting today they'll jump among our people and i pay my acknowledgement to their elders past present and future i'm going to stop with the serious bits there and i'm going to start with the fun bits i also want to pay my respects to the traditional owners of the network here and when i say owners i mean owned and that would be the ukins of cameron hall any upcomings in the room one two
three there's a few around so the ucc predates the department of computer science here by a number of years and in a time when identity checks weren't as strict as they are today they enrolled one of their computers in a degree of computer science and the paperwork was done by volunteer by paperwork i mean exams was done by volunteers within the organization and so one of the servers inside the ucc obtained a degree of computer science here at uwa um the legend became myth and over time this identity a computer called murphy obtained a doctorate just by name change effectively and is the official contact address for the computer science uh hackers here on the
university so um i'm going to give you a little bit of a run back through some of the web stuff which has been happening because i've traditionally been more on the blue team of things not so much a destroyer but a defender and it is an interesting space which is changing fairly rapidly but first i'll tell you a little bit more about why i'm here and why i'm talking take you through some certificate authority changes and obviously there's a lot going in that space we touched on the history generally of cryptography but we're going to talk about some of the stuff which has been happening that is real world today and stuff which is stuff you can change which doesn't cost
any money to try and help protect what you're doing so firstly with a pii i've observated a few bits and pieces because nobody goes to a hacker conference and hands out everything so um please take my mother's maiden name and put that into your user agent string um and hilarity will ensue i'm actually surprised that the organizers managed to receive my presentation and it didn't get flagged up so that was uh it's great so no um yes and my dog little uh drop tables um so i've been a volunteer at the tech space for some time um that photo was january 2003 um when we ran linuxconf u here at the university uh with about 700 people
and we brought linus total vaults to perth way way way back i've been one of the debian developers now for 21 odd years um so and that was actually triggered by uh toivo podesta one of the long-term network administrators here at uwa who was kind enough to set up a debian mirror back in the 1990s which was the first major distribution that we had access to here at uwa um i managed to convince nick down the front here and others to bring lca back to perth in 2014 and i served for a while as uh plug president and uh it was a fun time uh putting linus in a penguin suit on a 35 degree day um his girls now have just
finished university and uh all grown up um so other stuff i've been doing so i worked for a while for hartley poynton uh jdv in their share trading piece i was the web guy for that so the only thing that stood between all of the share training that most the banks were doing and security was me um i went to europe for a while i worked for a division of canon europe called fatango which was a little pearl shop pearl is a language you don't hear much of these days but it did some interesting stuff we used to have a copy of everybody's photos if you bought a canon camera in europe um it was kind of a precursor to
flickr but we were pretty um inventive and we came up with a concept for function execution as a service in 2005 we started 2006 it was launched and if you look at the serverless history on wikipedia uh that is where basically function as a service started um i moved on to an advertising company came back to perth in 2010 with uh the little oh um when he was six months old uh and took a job with us a cloud startup company out of um seattle uh and did three years working for aws opening the office here in perth which was a fun ride uh very interesting i got to be the security solution architect for all of australia and new
zealand which meant i got to walk inside various data centers around this morning um and write white papers and then walk into the vaults of various banks and tell them about how you connect up to the cloud these days i work for part of the deco group modis along with a bunch of my colleagues we look after various agencies and enterprises around town and across the australia but going way way back uh i studied here doing a computer science degree computer science in french oddly enough and that will come up in a second um and uh i was and i couldn't myself in fact i think that was my wheel photo which is the administrative group for
the ucc back in a long time ago and my first paid web job was in 1995 and it was that web page there which was written in french yeah that was one of the things about being the weird guy who came from computer science the arts faculty and then back again of you know something about this i've written up this thesis about french african authors can we get this online that screenshot taken last week still renders after 24 years
now some of you may remember there was a period where there's this technology called flash and there were some comments made last week that there was this period of the early 2000s where a large number of news sources that were delivered via flash are no longer available for archive particularly around the september 11 attacks um so it's a testament to the vision that tim berners-lee had so tim or timbal of having documents available to be rendered and the fact that we can still render these things when we have the content obviously the way we get the content has changed subtly over the years um anyway i moved on uh to work for this organization i had a job title once
called webmaster which was basically they couldn't figure out what else i was doing or campus-wide information systems officer uh and yes the 1997 annual report of this university screenshotted last week still renders um and uh that was a great project we were doing some really interesting stuff like making the entire university's faculty handbooks from this cut down version of sgml with my colleague at the time james tauber who worked on the w3c board and they came up with this new little standard a cut down version of html called xml which is seen as time come and go i think but still there anyway that's who i am anyone got any heckles so far oh god
that one oh god 2014. it's wisdom okay
i guess my colleagues actually insisted that i should do this uh yes it's all been cloud all along because nobody wants to look after servers anyone working data centers here anyone no no one works in a data center good you're so lucky it's like casinos but without the drinks um okay so uh blah blah blah blah yeah we went through that went through that so certificate authorities um some of you would have been around when this came out this was a reasonably significant event for the web um and today you look at the things that this version supports international security do not go there uh because you know 56 bit certificates with 40 bits exposed
isn't that strong and in fact all of those technologies are pretty much superseded today though i think people were yesterday talking about md5 um uh move on stronger hashes please um so the certificate authorities have been changing a lot of stuff in there um now there are a bunch of free certificate authorities today but there's a bunch of historical ones so if we go back verizon and thought they came back from a long time ago but they're all starting to move towards the acme protocol and this is not a warner brothers cartoon acme this is the automated certificate mechanism for getting certificates if you haven't used it you definitely should the reason because um who comes and goes and buys certificates
at the moment anyone you know no one does a few people do if it's a manual process you're going to hate what's happening in the industry because certificate lights times are shortening more and more and there's been a few things that have been raised over the last couple of years to really bring it down and we all know probably that let's encrypt is around a three month expiry um and people do think about doing it shorter than that down to days or weeks you don't want to be doing that manually you want to have that automated and if you can automate it in production you should probably automate it in non-production as well now all of these certificate authorities
that are out there are kind of members of a club the ca forum the ca browser forum they pay a membership for to legitimize the fact that they are a certificate authority as a club it's got various rules of membership and a lot of those are technical such as after this date you won't issue a certificate of this length or this algorithm and you definitely want to issue a google.com certificate to someone who isn't google.com because you know that'd be your job um and of course this is done quite transparently there's a lot of people who watch the recommendations that come out of the browser ca forum and then go and check various public sources to make
sure it's being enforced where possible or if it's not having the transparency of daylight calling it out and saying hey there's something going on here and there's a long history of very uh well-known certificate authorities being called out for transgressing those rules over time one interesting piece was certificate transparency so certificate transparency was introduced a while back now to actually show when a ca issues a certificate so for example if i was to uh issue a certificate of davidstuckbridge.com you'd probably want to know about that dave especially if i'm sitting in the opposite side of the world and you've never heard of me if you look at your phone or your browser there's a large number of
certificate authorities who are already trusted and they may all be legitimate businesses in fact they should be but do you choose to trust them well by default your browser has made an initial selection to say yes but you may wish to review that list and remove those that you don't intend to visit services of online that use certificates issued by those certificate authorities so um certificate transparency has changed there's a log of in fact there has to be two logs of every certificate issued by every legitimate ca it's one of those rules of the browser ca forum and these days the actual location of those logs is embedded into the tls certificate that you get handed going
through automation so you can actually go and find that log now there was a security header for a while that indicated that that should be expected but this is pretty much to review these days it happens automatically um there's new requirements coming up and we saw yesterday about rsa certificates and these days we're starting to move into elliptical curve certificates which is described as being the bowling ball algorithm of you start at this point you've got a curve and if you go in this direction you bounce around to get to a destination number that's the trapdoor function or the one-way function of that algorithm and bit for bit it is supposed to be more secure than a traditional rsa
certificate rsa certificates get longer and longer we spoke yesterday about 2048 bit certificates i've got some 809 80192 bit certificates that are quite long the longer you get with rsa it goes much much slower and so newer certificate uh signing algorithms means that this is faster um so that's all very interesting moving on to some bits and pieces one thing you might want to do is be able to tell that list of legitimate certificate authorities that when you as an organization want to go and buy a certificate which cas are you going to authorize to be your ca and that is the certificate authority authorization record that you can squirrel away in dns it's only ever
looked up when a certificate authority is about to issue a certificate in your common name your dns name so it's hardly ever used you can set this at a zero second ttl no one else ever looks it up and you can specify whether those certificate authorities are allowed to issue explicit name certificates or wildcard certificates or both you can list as many cas as you want and it might even stop you from having sort of shadow i.t going out and going and buying a dodgy certificate from the south china post who are a legitimate ca but you might not be choosing to use them it's surprising this has been around now for quite some time um january 2013
nearly a decade and you could probably count on two hands the number of organizations in perth that have actually gone and set this record up and put it in there i spoke briefly about the civic algorithms they are changing and as a result of that a certificate chain from the issuing ca is also being upgraded to be based around the elliptical curve algorithms so ecdsa new routes are being created let's encrypt has just moved to one of these new routes after being on an existing rsa-based route for many years they've called them names like x1 and x2 sounds very spooky turns out they're calling these certificate names with as short a name as possible anyone
want to know why why they're making their names very short because they're transferred over the internet so very much that every bite is sacred they're literally making the names of the cas short um so new certificates in fact there's an opt-in at the moment on let's encrypt if you would like to be vendored through the automation you have in place an ec dsa-based certificate browsers have supported this for several years at this stage okay high-level stuff tls changes now everyone in this room has probably heard about tls it's what's protecting most of what we do every day especially as we've managed to digitize pretty much everything in our society whole bunch of versions four years ago
at this stage or three years ago was tls 1.3 coming out basically and i don't know if you can read the red on green that was a thought this morning about color blindness but don't use any of the first bunch they are absolutely bad in fact they are so bad that the ietf has a request for comments and if you've come across rfcs before by the time you probably see it it's no longer requesting for comments it means standard but don't use anything less than tls 1.2 and all of those earlier revisions are so bad and we as an industry have been so lacks at removing them that the vendors themselves are removing implementations from their software base
to force the fact that these things are turned off if you're waiting for the next update to disable older versions of tls you're probably waiting too long you could probably go and turn these things off right now good logging will show whether or not they're in use they shouldn't be if they are you've got some really outdated software that you've not updated somewhere else you've probably got a whole host of other issues out there so um if you're ever looking for compatibility online there's a website called can i use dot com and you can put in all kinds of technologies that you want to use in the browser and it will tell you the support matrix
as it looks like over common browsers and most recent versions have got very good support for that if you want to use tls 1.0 you are going to get a bad day because all browsers that are out there in common use these days no longer support it so why y lever enabled you might have some automation integrations happening which aren't using a traditional browser fair enough you probably should have updated those anyway i'm going to spill outside of web for a moment and there was one other great thing that i've seen recently and that is a nice update to windows server so at the beginning of this month there was a new version of windows server that came
out 2022 and it is the first one where the cryptographic provider on the host s channel dll supports tls 1.3 um so i can see that in future being one of those forcing factors of we need to get to that version because we've removed all the older versions of tls out of our environment openssl has tls 1.3 support since version 111 i think it was k or l uh also on its third twelfth update now um big update last week open ssl three was released um currently going through fips validation um but uh again all change upgrade where you can tls 1.3 only supports a small number of ciphers the reason for that is there
were a lot of older weak bad ciphers that really you shouldn't be using anymore and including some modes of aes the advanced encryption standard previously called ringel so aes mode that you most commonly see these days uh is called gcm anyone here heard of gcm yeah anyone tell me what it stands for yeah gulowa counterboat this young man here is everest de gallo a young french mathematician now i've got a degree in mathematics you do too and this is where we're going to claim some credibility because at the age of 20 he got into a duel over a woman sadly he died he might not mean as good um and uh his last words were don't cry alfred his
friend who was with him at the time i have all i need all of my courage to be dead at the age of 20. um his field of mathematics was so misunderstood he was denied access into the academy frances for multiple years and it wasn't until years after his death that uh what he was doing with with his his field was seen as actually being valid and secured and pretty much every transaction you do nowadays is using his branch of mathematics to secure those transactions um and that is my link to french in this premiere oliver browser changes now unless you've been living under a rock browser versions on the open web have been looking a little bit like this
um that green line is versions of chrome dominating very much so i've been a firefox user for many many years kind of declining off to the to the right hand side there um but that's not the most interesting piece it's this one that i find is really interesting it is the rollout version that is actively in use and i think that this has been a testament to things like the approach on releases being lots of incremental small releases those that think back sort of 15 20 years ago a new release of a browser was a potentially world-ending moment of compatibility changes these days this is done in a very slow incremental way what's also interesting is that mum and
pop at home who are doing auto updates probably running the most recent browser and your standard operating environment in your organization which is version locked is probably not um and some agencies in western australia will choose current minus one version to be their soe and then not touch it for four years um and you start sitting there going well that bug is fixed for everybody out there but not us and so one thing to look at is well maybe we should be actually being a little bit more agile in corporate environments for certain critical critical applications where the security update comes in through good mechanisms to make sure they're getting pushed pretty quickly um so i said other things you can look at
in uh can i use versions of images have been improved webp is looking pretty cool these days as a format not supported in everything i was pasting webp images into teams the other day i didn't understand it but the efficiency that you get on that is huge and fully supported across browsers one hack that happened a while back was the takedown of an accessibility service online and it brought my attention around to sub resource integrity sub resource integrity is the ability for you to say look i've got this library or framework typically javascript could be a font could be anything to be honest and i'm loading it from an external cdn or an external site something that is
from another origin but i don't want it to change i want to make sure that you're still running the same version because i've got an external dependency now now prior to this um quite often people would have example framework.js and whoever was running that cdn was free to update it at any time they wanted to they could do maintenance on it new functionality but also they could be compromised and take down everybody who is leveraging that shared cdn resource that happened with this accessibility service that was running um there were organizations here in australia a lot of public sector in the uk was taken down with it and cleverly enough the uh injection that was put into it was a bitcoin minor
with a throttle to i think 50 or 70 of cpu so that people wouldn't recognize that their browser was just going sluggish for a bit so you can definitely generate integrity checksums in fact you can generate multiple in this case it's a sha 384 and your browser will actually validate that the cross origin resource that it's just loaded does actually meet that checksum before it loads executes or uses it important for example in fonts there's been a lot of font vulnerabilities over time and cross-origin means don't actually add any cookies or any other indications to be able to tell who i am you can generate those sri hashes online from that website um and if you are
leveraging third-party cdns too so if the resources are all self-contained on your own site well it's the same source which is going to be compromised so there's not a huge amount of advantage in doing so there's been a lot of security headers added into browsers now this kind of stuff is only really for desktop browsers if you've got native integrations then it's not implementing this kind of stuff um my favorite in here and i know i've got to type on the next slide is the strict transport security this header basically is something you can put on your service and say hey if you're happy with my crypto at this stage just remember for some cache age a
year that i'm always a crypto site don't even try unencrypted http this is changing over time because browsers slowly are starting to go to https by default it's just it's 20 21. um and i've got a bit on that in a second so uh you can enforce this also for your entire domain um that's a big one-way trip um if you're going to say every service under my domain name including intranet.example.com is an https service you're saying you're going to use https for everything which is a good thing but might catch you out by surprise if your internet currently has that big not secure warning in the browser chrome at the moment um you can preload that also so once you've
got the hsts header on your service you can tutor along to hsts preload register your site in that and the browser manufacturers go and pick up a database to precede the next version of their browser that you will automatically get by the crossover mechanisms of versions that it won't even need to make that initial unsecured http request of course most of that initial unsecured http request is a redirect to go up to https don't even bother with that um interestingly i was running a poll on linkedin the last couple of days asking which organizations have blocked http from their users so if you go into your corporate environment can you actually get to neverssl.com so neverssl.com is an http
only site run by one of my former colleagues at abs uh col mccarthy and it's designed that you've got something that is always going to be an http endpoint to validate why you would still have that on your corporate network when most of your users are going to always go up to https why would you start with an untrusted source beats me but of that poll no one responded that their organization had taken that move to block unencrypted hp i have worked with someone recently to do that in their production environment and it's a great step forward okay um referrer policies this is one source of information leakage which i think we were speaking about yesterday about uh
following rfid chips from medical implants that might actually uh disclose who the user is or their user id um this is disclosing the origin or the host name that you were referred to from between sources these days you don't really need it a lot of that was used for analytics in the early days of the web most of this is done now via google analytics and other javascript providers so you can actually turn off the browser doing any referrers saves a few bytes and actually the less information you collect the better permissions policy your browser is a pretty powerful beast your browser has an accelerometer in it a gps it's possibly hooked up to your
nfc payment providers you can actually disable those features in your browser by setting various feature policies on your content in the headers which if you've got third-party javascript being executed you can scope it so that third-party javascript cannot get the gps locations for your users but potentially you can from your own javascript nice little bit of security protection for your customers nobody wants to see the strava event again of where all the people um it's been renamed it was called permissions policy but about six months ago that had a got renamed and reformatted ever so slightly no one's heckling anyone it's very early yeah but it's very exciting i mean this stuff has taken years to get to the
point of having a velocity where there are interesting changes that are happening as a result of interesting stuff happening with people exploits of yeah i linked into a third-party site and they started getting the gps location for the visitors to my service that's bad csps content security policies uh so this defines um where your browser is going to allow to load stuff from and more interesting things like iframes now iframes will have for 15 20 years being considered bad but they're still used if you've got a frame inside a page what would stop that frame from loading another frame from somewhere else what stops a legitimate browser from being tricked into hosting your banking home
page in a malicious parent frame so luckily csp gives you that capability you can specify where what sources are available to be within your descendant frames and what sort where you're allowed your ancestor frames to be typically block everything this is work extending previous functionality that was there in some various experimental ex headers um but you can do this now in csps one of the ones tying into what i was talking about earlier was certificate transparency this header is actually going away because all of the certificate transparency is now in the certificate you don't need to go and actually go and look up third party log files so you can get rid of them um
june 2021 it's supposed to become obsolete so there we go i've got a few very interesting ones that have just come up as well cross-origin and better policies so allowing a site to say my assets should be loaded by a specific host and again we're looking here at legitimate browsers which are being tricked by third parties remote to them that the legitimate browser can be used to assist you in your security profile and these are going to basically make things like pop-ups not share context for the javascript engine between the pop-up and the window under it they'll be in different origins therefore they shouldn't share context these things i would definitely recommend have a look into them they've
only come around in the last couple of months um and they sit with cross-origin resource sharing headers as well okay but what i think is actually now much more interesting is how the hell do you hear if a tree falls in a wood and no one is there i.e you've got people using your service and they get a javascript error out on the internet traditionally you would never hear about any of this stuff but there's another header called the network error logging headers and reporting mechanisms which can tell a browser if you have any issues with this site please report to this location but remember this location for the next year so even if that person is in a walled
garden of an airport if we remember what those were then they might get denied access to your service and when they next come onto the network and do have access they'll channel a report off to you saying at this time i was on this address i couldn't get to you or i had a certificate failure or i had all kinds of network failures on those classifications of reports really interesting stuff that you wouldn't have seen um and there are services out there that you can just subscribe to to have them receive show and log your errors that are coming from your your clients and the nice thing is that by doing that you can find out the bad news about hey
we've got broken images our javascript doesn't work in this specific browser faster than waiting for your users to phone up your help desk get through level one to level two to a developer to a release cycle as m said once in one of the bond films unlike the americans we prefer not to get our bad news on cnn get your own bad news first those reports are delivered as json something like that so you can see whether it was a content security policy that was transgressed or anything else in there um certificate pinning is is one that i'm going to own i see a few laughs do not do this this is the shoot yourself in the foot
oh my god i needed to change my certificate but i've told everyone i'm not changing it for a year uh i would call this the career limiting move um so yes just don't um and that's actually a good thing these things have come around been experimented with in production um and then deemed you know what let's not and it's that level of experimentation which has really moved things forward a hell of a lot uh firefox and chrome no longer support ftp in the browser they never supported ftps so don't more recent versions of chrome using https by default except for special addresses like localhost and others like that um it's the start nick yes if they supported magnet links they
would use an s3 very possibly um yes uh other changes so as of version 91 and firefox only in private browsing mode anything you click or enter will be upgraded to https so this is obviously very fine-grained testing before it becomes a blanket rollout of https everywhere mixed content is blocked as of the end of last month in crime one of my favorites triple des is removed as a cipher hey but for anyone who doesn't know dez was okay triple des was stronger double des in the middle there was weaker than both of single des and triple des just don't another change that some of you may remember was extended validation yeah um you could get an even better
certificate with a guarantee a warranty of some sort um and instead of showing a host name it would show your registered company name so for example stripe inc has anyone here heard of stripe yeah what do they do oh no no i'm talking about stripe ink of wichita who are in a totally different environment who could actually make a browser come up with stripe ink which looks exactly like the stripe you're all thinking this is terrible um and so this shape i mean this this approach of running a business of going for extra money we will display something different is basically dead if you're currently buying extended validation certificates from a ca consider not because it's just not worth
it protocol changes in the beginning in fact http 0.9 in the very beginning but hb 1.0 open a connection to a server across the in-network request something get that object close the connection oh look at me i need to go and get something else off we go again open a connection request something get it oh i need something else browsers got around that with having multiple streams or threads in parallel doing that um we moved to hp 1.1 where we could say get a connection open request something but hold the phone i might ask for something else yes i want something else trying to optimize the network approach of this that was 1997 24 years ago
in 2015 as a long time between drinks http 2 move this from being a plain text to a binary based protocol and also streaming parallel threads of transfer for the objects being requested so you could open a connection and say i want one two three four five whenever you're ready just send them to me a little bit of one little bit of three little bit of two a little bit of four five one finish one finish three we finished two and all these things would stream down as quickly as possible very efficient on on the network but um it did actually start to introduce things like if i lose a packet on the internet that stream although
there are multiple threads within that one connection might then have to re-transmit a whole bunch of stuff and so what we're seeing now is a much bigger change and this is with http 3 and i'm thrilled to see things like cloudflare already supporting that in fact besides website if you've gone to it is coming to you over http 3 if your browser is up to date and you've got access to send outbound udp traffic why udp because it's no longer over tcp 443 yes http 3 is really going to confuse your network administration team and it's going to silently downgrade back to http 2 for the next while um but it's it's out there it's fully
supported in all browsers and it's very efficient on the network of course the process of service discovery there's no dedicated port for http 3 so your browser goes to an initial http 2 connection sees that header and goes okay the maximum age m a to remember this for is a day i'll just go back and use the same endpoint over udp to request all of those resources you were after i think i'm nearly on time was that an interesting journey through that so i've got a few other resources that you can go and use these are things that are possibly well known securityheaders.com run by um scott helm out of the uk um great site he maintains
it really well throw any url into it um and he'll give you after a single hit these are the headers you've got these the ones you're missing and it's a rating a through f i'm loving the the gamification of security because it makes it really easy for people to go and consume it and incrementally fix things to get a better rating ssl labs ivan ristic originally who's now moved on to hardaniz.com and expanded that out um hardenizes is really good um it goes beyond web security also looks at things like your tls for your mail system you know yeah we're all tls13 on the website yeah tls10 on smtp there's lots of places to go and look at
this kind of stuff observatory.mozilla.com the nice thing there is it keeps a history of your scores so you can see improvements and degradations over time and of course for private endpoints you can use google lighthouse which you've already got in chrome on your desktop or test ssl.sh which is a shell script you can download and hit private endpoints for to give you that same kind of visibility of what that profile looks like a bunch of people you might want to have a look at on twitter um some really interesting people um one interesting thing i've got up there and i i'll go back to my i can days we registered the domain rcpt.to the week that the dot to domain opened
and dr eo is tonga um the running joke was as we were wire sharking sntp we could see receipt 2 james at receipt 2. it's not hugely funny now but we thought it was really funny back in the day um and as a result the tongan cert now follows me uh so that's that's interesting um but in summary everything in the technology space that we're looking at in fact everything that we deal with is a sunrise and a sunset new stuff is coming up old stuff is going away um but don't wait until the sunset to turn stuff off because it's likely already a poor security choice and waiting for the vendor to finally remove it is probably
way too late it is a saving function but you can be much better than that um html and ips stood the test of time open source rfcs in the w3s3c recommendations for the win flash not so much and that is the end any questions yes hey thank you thank you very kind yes please
um the one of the primary motivations for shortest lifetimes is once you issue a certificate it can be out there for a really long time and if you discover a flaw in a signing algorithm it might take a long time for the fix for that to be fully deployed in the network luckily rsa has stood the test of time as far as we can tell there may be quantum computers with large numbers of qubits which we don't find out about yet which might not be there but if they are disclosed then what's gonna be better changing over within a three month period or a three year period for the planet that's probably the biggest one um yeah
good question thank you
sort of my take on what from where i work on the dfir side sarah pinning stops an organization doing tls intercept as well so so possibly short lifetimes in that span might be wanting okay ensure that the tls intercept isn't happening um what's the impact on some of the newer protocols like will organizations still be able to do tls intercept will that become more difficult so the question i just repeat for the stream is tls intercept and cert pinning i think one of the key things for tls intercept is the client base which is being intercepted in the corporate environment is you're using a corporate device and you've already been rumbled the internal ca certificate has been
pre-populated into your trust store um there's nothing you can do with that stage you're already compromised uh what becomes interesting is the byod environment do you take the company certificate and subscribe to trusting what the company thinks is combank or westpac when you're going through their network or do you just tether to your own and not use their bandwidth um yeah it's an interesting piece i see the advantages for doing intercept to be able to scan stuff but i think there's a lot of things that we need to fix up in corporate networks one of which is i mean anyone here had a phishing email sent to them yeah so there is a large number of phishing
uh links that are sent out where when you click the link which protocol are you using for some of them https yeah but there's still a large number that is http so why support that still that's an untick that box um but for https yeah that's that's when you would want to do it or domain reputation you've still got things like dns lookups happening from clients so what's the reputation of the host that you're looking up and does your dns support actually going you know what nx domain for that i don't want you going to geocities.com because it's got no no right usage these days in that context sni for those that know about server
name indication at the beginning of tls that is being moved to being encrypted sni because that will um also rumble where users are trying to look at so there's a lot of privacy concerns going both ways especially corporate is one but citizens in oppressed regimes is another one um you know that was the the arab spring uprising of 10 years ago or so so and as i spoke about my conference i'll just call out dr david glance as well who was one of our speakers in 2003. thank you very much anyone else was anyone else here lca yeah yeah why not shame everybody in for a penny in for a pound anyone else here who was at lca 2003 here in perth one
two no hey you missed a good conference it was good anyway any other questions yes
no you shouldn't do so the question was about encrypted sni and being able to choose the correct tls certificate on a host and not needing one unique certificate per host and port combination that was a terrible situation of course made worse by the fact we've got so much ipv4 address space around haven't we oh by the way enable ipv6 for everything please it's well past time um no because the other end will be able to decrypt the sni that you were after to still make that choice so there is a pre-conversation to actually share a key on that thank you for the question i'm probably over time aren't i uh you're getting close there's a heap of questions
do ask
thank you everybody thank you guys thank you [Applause] we're just going to hand over now next you want to wander around and we'll get you set up um a couple of bits i forgot to mention earlier on so sponsor shout outs keep the uh keep the hashtags going thanks again kinetico t platinum sponsor pwc telstra cyber cx all gold this year round this is a massive help for us it really keeps things going fifth domain for the ctf canva west australian innovation hub and crowdstrike or silversponsors what else we've got uwa for hosting us cybersec people fortinet es2 extra beam rapid 7 trust wave thank you everyone jumping in there and pentester lab louie of course curious about that
two really important things if you just keep the noise down just one second and i'll run through those thank you any time today i'm going to say and if you don't hear it you're lost 2019 badges they do exist i have 300 or so in my car at the moment if you want to give me space back in my garage for the love of god come and take some badges away from me uh and some people had a bit of a wins yesterday that they didn't have the full functionality on these badges because uh silicon shortages made that a real big problem for us go and see kinetic i.t in the 48 the business card
giveaways that they have there are all rfid nfc business cards so you can actually do the same kind of things on those as you can with these badges go and sign up have a chat get the black business card badge similar functionality so go grab some of those um i think we're pretty close to handing over now how we doing dolls we're all good all right for everyone listening at home we're just getting ready for backs
back so much positive feedback on discord for you it's backs backs yay backs everyone says hi and good luck
aliens loving my glasses hang on let me go close up ian can you see me
let's have a look who's paying me to see these things photo monkey yes lots of people besides 2022 is dependent on me saying these things no it's not we'll make it happen anyway ian's really blow god you really like those glasses don't you i can't see without them if i take them off seductively looking at you you'll just be blurry afterwards let's have a look hey will this work are you getting all the love did you find that that's great right cool i think we're about ready to kick off getting close see if i can remember what i'm talking about all the love password was incorrect [Music]
hmm
this and you change the password two two one
oh i'm getting have i been doing love hearts at the camera and people can't see me i don't know his headphones were going crazy in the bag and it was like we just kept shuffling and playing other stuff through youtube so we had like a podcast with kev on listening
okay we've got a couple of questions coming through on discord just while we're setting up lots of love for begs which is good to see sneaky's asked who my favorite organizer starting with the letter s's that would have to be sexy sexy dolls safe sign oh an ending in nikki yeah that would be that would be sneaky my second favorite co-organizer let's have a look they're weird that password comes up as hunter too it's just asterisks online
oh definitely ian's nailed it there is no satoshi oh ian says he can't see your love hearts keep them coming i love hearts
the created date on these slides says like 142 this morning time stomping looking at my metadata ah all the love cool are you using the um you've got the top mic on yeah perfect does this work yep all right we're going to switch over i'll kill this mic thanks everyone and we'll uh i'll get off the air so you're ready for breaks cheers all
right let's try that again yeah good to go
thanks guys i'll just keep doing the hearts
how about now
right here
is that right so i don't go over time [Music]
ah thank you i like i like this real time feedback here hello
are we having issues sharing slides so
[Music]
it's so good no problem
we are just having a few small technical problems will be online in a few minutes
i'm not i'm kind of on camera kind of on camera live and microphone but you could see
[Music]
i feel like it's just
start doing a jig for entertainment
hmm
childhood [Music] hmm [Music]
oh
yes
so
so
[Music]
this
[Music]
morning
[Music] i'll move my notes maybe
huh well i break
okay
[Music]
everybody
so
all right thanks everyone sorry for the um short technical delay it definitely wasn't my fault maybe it was thanks b i'm just waiting to see if this actually works it's the delay like we had yesterday i think cool all right thanks everyone for coming and thanks so much for b-slides and all of the sponsors for having me and for putting on such an amazing event my name's bex knightheart i work in the digital forensics and incident response team at paraflare and i've also been one of the chapter leads at the australian women in security network perth chapter for a number of years i don't really like talking about myself too much so we'll carry on
actually there is a very important definition there and hopefully it doesn't disappear off the stream um i'm totally not stalking a cyber criminal and i completely lied when i said this is about the digital transformation of stuff because you know i kind of didn't want a title that made me sound like a complete weirdo um so i came across a term called spurring which still kind of sounds kind of creepy but it's about you know tracking animals or people by essentially the [ __ ] that they leave behind and i thought that was that was kind of fitting um move on move on there we go cool so what am i doing um so originally i kind of started out
this project because we had a client came to us with a phishing incident they had multiple credentials compromised you don't actually see many companies investigate you know simple fishing incidents which is a bit of a shame because often you know we're using kind of outdated playbooks to respond to fishing incidents and we don't fully understand you know the scale and and the impact of them um so it was quite good you know we came in no money was lost you know looked at what data was potentially taken but it's uh through the information sharing that's been ongoing through the security community and particularly and i always bring him up because he's so amazing um daniel mcnamara at telstra
um if you're in the jcsc slack and look in the manual ioc channel you just see him pumping in phishing links just constantly and uh if you can continue monitoring them you'll see patterns in certain kind of i guess fishing operators and through that you can link certain fishing incidents to a cluster of activity whether that's a particular fishing kit an actor or a group of actors so through that i was able to identify for this client you know the kind of likely individuals involved and uh you know the the types of things that they would do as a part of an attack uh they asked me to dig a little bit deeper which is pretty cool they're like
well you know what do they want and you know so i did a bit of digging and um yeah found more that i was kind of expecting so i cut my teeth in digital forensics at bdo which is traditionally an accounting firm i was in the forensic accounting team i was like i totally know accounting you should hire me um yeah the advert was kind of vaguely worded and they said you know assist with digital forensics stuff and i'm like i can do that they want an accounting degree or you know similar well i don't know bachelor counter terrorism security intelligence that's totally related to accounting um they took me on which was awesome um so
i got exposed to fraud investigations and got involved in forensic accounting and one of the partners there said i was a closet accountant and i think i slightly agree with her because i have really enjoyed looking at the financial aspects of this particular actor so yeah i do kind of miss that a bit so the information that i have found i have been sharing with law enforcement um if i identify victims i do notify them i do share certain things with industry within a kind of limited capacity given that there's a high likelihood that some law enforcement action will take place i'm having to be quite reserved in the information that i do present and if there's anyone
smart enough to put two and two together please don't go on dox them online because yeah that doesn't help yeah so um a part of also with speaking to law enforcement um they're like well can you quantify the harm of these fishing incidents and like well how do you do that exactly um you can only really measure what you can see not many people talk about how fishing impacts them it's underreported global scale you know crime is somewhat secretive in nature um but you know what we do have is you know essentially fishing as a service operator who sells fishing templates and also offers essentially a managed fishing service and so we can see from the products and services that he
sells the the types of i guess um victims that you know might be involved in in particular fishing incidents and and where that may lead and so as you can see from the list here and it's not exhaustive it covers actually quite a broad range of categories so it goes from um you know trying to get company credentials which could lead to ransomware business email compromise whatever to dating sites which goes on to romance scams property type stuff so that's also i guess business email compromise related with be trying to divert really large transactions so um property settlements and and things like that so yeah potentially quite devastating but how do you actually link certain incidents to
a certain phishing email when nobody talks about it so you can certainly look at crime statistics and how much it costs the economy and all the rest those numbers are [ __ ] i really hate security statistics [Laughter] because you know i think some people i mean you don't have visibility over all of the victims um then you've also got people that have ulterior motives and yeah i don't know it just it annoys me ah come on cool so uh we would think that you know criminals doing crimesy things would not want to make it completely obvious what they're doing and who they are and you know because you know police bashing down your door
at four o'clock in the morning isn't pleasant um but just as i kind of wanted to say i'm totally not a stalker because that sounds like a really bad thing but i'm stalking a criminal so that makes it okay so i'm you know i've got this moral justification for this totally you know probably abnormal behavior that i'm undertaking i'm not lying in bed on my phone and going through you know someone's personal life um but criminals have a similar approach to their career um you know they have moral justifications for what they do and so they don't necessarily see what they're doing is terribly bad it might actually be celebrated within their community or they have a perception that they
won't get caught and you will see criminals using lots of different types of justifications for why what they're doing isn't a bad thing and the particular actor that i've been tracking uh recently made a post on a religious forum and said is what i'm doing a sin if the victims of my customers are non-believers and um so all these people chimed in they said yes it's still a scene that's still illegal you shouldn't do this right but all it takes is some person to say no that's totally justified all non-believers you know are deserving of of this and he can feel comfortable in himself that totally cool man but yeah these people then suggested that maybe
he'd look at a legitimate job in cyber security [Laughter] and we know that that's worked to select few people but i don't know if i would hire this person but um yeah uh you'd be surprised just what you can find on on social media um facebook there's public groups dedicated to scamming so type in scammers professional something will come up um type in scan pages stuff will come up type in smtp inboxes or inboxing stuff will come up um you can find it so this guy uses his real name
including in some of the email addresses he's used to register a lot of domain names his wife is obsessive on facebook it's multiple times a day posting pictures of food and new car that they've bought and you know it's pretty cool so pretty much everything i've learned about this guy is from social media and other stuff is from uh you know hack forums where quite often the most juicy information comes from where one criminal has been scammed by him and is complaining about him or he's been scammed by another criminal and so he's complaining about them and they post screenshots and so there's screenshots of of bitcoin addresses for some reason he shared his uh
email and password with a criminal and took a screenshot of that i haven't tested it um but yeah i'd say he probably reuses that one um it's it's his special one for rdp um things so yeah still in use um he also has developers who think that github is a great place to host the um the online website that he actually runs um so uh man it is just just this never-ending kind of gold mine of stuff so he's been at fairly dodgy things probably since i'd say probably since early teens but i don't really have visibility going back that far um i can see uh he certainly started to get involved in illegal activity around about
2011 so defacing websites planting web shelves count compromises experimenting with botnets and and all the rest it was around about 2015 that he started advertising services on online forums to essentially sell phishing templates and letters letters are essentially the email so another way of kind of downgrading you know what um is actually being done um so he he relied on forums quite a bit for that um the bitcoin address that he used between 2015 and 2018 remains steady which which you know is fantastic because it's just all there you don't have to put any effort in um and i'll show a graph later 2018 he established his own e-commerce website so openly advertising the sale of all of those
fishing kits fishing templates that i showed earlier um he i think yeah 2015ish he started a fairly um kind of low fee and that's increased five yeah five fold up to fivefold over this period basically which is which is pretty decent he's the kind of guy that likes to contribute to the community so you know if he wasn't involved in crime you know he'd probably be a top bloke um [Laughter] you know he he publishes tutorials on how to do things and and helps in forums answering questions gives things away for free sometimes because he's such a generous guy um buys his wife lots of bling so spoiled um but uh yeah he his business has just picked up and
especially in the last year and this is with the introduction of what i'd like to call his managed fishing services because for a very large fee i mean we're talking about a thousand dollars a month in a country where you know that's you know someone's probably half a year wages um he will deliver the phishing emails basically when accounts are compromised and particularly business accounts then we'll log in and start using the compromised accounts within the business to spray out more phishing emails within the organization compromising more and more it's just a fan out effect and then actually use the infrastructure of victims to host fishing laws so if you've ever seen pdf hosted in some random companies
onedrive with a link to a fishing site they've probably been compromised you know by the same um group i mean heaps of them heaps of them do it but uh yeah so he he'll offer that service and um you know he'll he'll give you the credlogs at the end of the week and you know by then i'd say that he's probably done what he wants to do with these logs that are intended for the customer but um you know he's still having such a great service [Laughter] um uh so that that's been a huge uh revenue generator and uh he's also he's hired some people uh which is pretty cool he's paying them a wage um
so you know jobs for mates um and and he's inc he's got automation happening you know it's like a phishing site goes down because someone's reported as malicious customer can log into the port or push a button magic new fishing side up for them um so i estimate that there's more than 100 fishing sites seriously we're up to five minutes i thought i might ramble on a bit sorry guys um so yeah it makes a lot of money 98k in 60 days and people are saying maybe you should go get a legit job [Laughter] don't know about that man but majority of the income is coming through that managed fishing service and the vip fishing service which is up the top that
is where customers can choose to target specific lists of email addresses essentially lots of bitcoin um i'm still kind of collecting i can only track as much as i can find but all this information has come from well there was a hundred and something page pdf document with invoices for web design and hosting um back in 2019-2020 and also more recent kind of list of customers and things that they bought and so uh he kindly put the transaction id number for um quite a lot of these customers i was then able to uh find their bitcoin um addresses associated with it uh one of the earlier ones if people want to take a photo quickly just if you want to go down a
rabbit hole this was this was one of the change addresses for a bitcoin payment that was made to him associated with the shadow brokers apparently so once everyone's got a photo i'll move on see what we can find around there at least this won't come back to him so one of the things that really frustrated me was that i had a photograph of the of his license and domain names were registered in his name with his address i was like cool i know where this guy lives [ __ ] he's building a new home where is he going um then we have google so his mate that helped build the house left a five star review
he's uploaded photos of his house um he's called the place after his son um and it looks like this heavily fortified kind of bikey clubhouse except it has this mule at the front so this is my artist because i'm not going to show the actual house because you know how that goes um so so last night i was like okay i have to show you something to kind of give an indication of what it looks like yeah it totally no crime here there's you know this cartoon mural out the front legit innocent yeah cool that's my final slide i'm not finishing on the thank you one [Applause] thanks is there any questions we do have a
portal microphone now for those people listening online so if anyone has a question dolls yeah are we going to online first or uh we will go in person yeah okay does this live in a jurisdiction where it's possible that they can be law enforcement yes so thankfully thankfully we have afp liaison officers over there um so very good chance it's just that international law enforcement agency has very limited resources um which is a shame but hopefully we'll get there um
because it's he's listed as married to her on his facebook account
it's it's fantastic it's just christine um
yeah really really good uh question there from the feedback i've received that's definitely enough to get him um it's just that i'm weird and i like to do this and so i keep on doing this and i don't know how long you know it's going to take for them to um catch them and so part of actually what i'm doing now is looking at the customers so i've been able to identify some of the customers as well so i'm just going to keep filling in my time doing strange things but really good question um you know what's the point of burning resources if you've got enough but i'm doing it for fun so yeah up the back
he's got staff he's got kids he's also got a new puppy you know like dude i saw the fluffy thing i was like oh man you know [Laughter] i need to donate some dog biscuits later all right we probably have time for one more question that's up the front here dolls on his face
uh well he used his facebook to talk about like he's a part of a public hacking group on facebook his he uses his real name on facebook he uses his real name um on domain registrations and sub-domains of some of his illicit websites like he's just fully uh through like digging through all of the related domains on his infrastructure like he used a you know virtual private server and he he also screenshotted what sorry took a photo of his screen with the ip address as well which was pretty fun no no i found the bitcoin address just by digging into him and then found a complaint which included a discussion on icq about the transferring of funds to purchase things
um
um just through looking at uh you know who was linked to the fishing infrastructure essentially so yeah it just you kind of you just follow things and then eventually you'll come to something where you go ah yeah got it and um then you just use various points and then increase your level of confidence in what you found and whether that actually makes sense and it is solid absolutely solid so yeah cool cool thanks bex uh now it's donuts time again we're going to eat them outside this time so please enjoy [Applause]
not to go security [Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music] so [Music]
[Music] so [Music] so
[Music] [Music]
[Music]
[Music]
[Music]
[Music] so
[Music]
so
[Music]
[Music]
[Music] mmm
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music] so [Music]
[Music]
so [Music]
hello all right we're ready to kick off the post morning break discord channel can you hear me let's see somebody ping in something no music apparently that's a good thing stress migraine cool we're all working there speak to us besides yeah we're here um all right people are just coming back in gorged with donuts um for those that missed the message earlier on we do have to station a volley outside with the donuts because the crows keep coming down trying to steal them so the more you can eat the more it helps us they're outside today because three inches deep on the floor out here is sugar and that has really proved very difficult to try and sweep away last
night so saves us a bit of a job cool people are back in that's all good um people out of state um we're happy to ship some 2019 badges and bits over i don't know whether you can distribute it sec talks channels or something over there work it out jesus look at me dolls on the camera we were just saying how lean we were yesterday and then the diet of nothing but the coffee and doughnuts as bloated as that jesus look at that all right i'm going running later um cool we're just warming up the video and that now and then we will be handing over to buffy
cool all right we're going to cut over to that now see you on the other side cheers
what
perth i'm error buffer overflow or buffy for short today i'll be walking you through three different societies exploring their successes failures and reasons for perseverance and drawing parallels between these empires and modern day security culture i'll also provide a set of tools to help you identify similar issues in your company's security culture which brings me to collapsology a transdisciplinary study of risks that result in the collapse of empires and just as a heads up today we will be talking about some of the toxic parts of workplace culture so that might bring upon some bad memories for some of you our first stop today is the neo-assyrian empire which at the time was the largest empire of the world
they were located in the near east and had control over modern-day lebanon syria parts of turkey and egypt the empire was established in the 10th century bc and ultimately collapsed in the seventh so let's take a look at one of the key influences that resulted in the fall of this empire and lessons we can learn from their failure and what we can do to prevent the same fate so after the death of the king of assyria in 631 bc there was a lot of political instability and ongoing civil war between many of the occupied territories as they fought to gain independence from their middle managers i mean rulers the rulers of the time even wrote about
their fears of internal danger palace intrigue and rebellion but what made management's situation worse was that the assyrians gained most of their territory through a show of military dominance and were notorious for resettling conquered people to other areas within the empire which resulted in pockets of resistance so while most modern organizations don't collapse after the murder of their ceo or grow by placing armed militia outside corporate headquarters we can see modern day equivalents of palace intrigue and rebellion in the modern day these types of political threats occur when interest and agendas collide in a way that has an impact on the organization's ability to operate and this is the same for security teams one of the most common political threats
i've observed is turf wars when managers or employees engage in competition for bureaucratic control of resources or the advancement of individual or organizational goals you've probably seen in the organizations you've worked in where silos or particular managers stand above the decisions of security or decisions are con consistently undermined in other cases security management might even cease to exist or it may be relegated to a small security team with no authority to enforce security decisions when i was a pen tester i would see turf laws play out on onboarding calls where the team in charge of provisioning access would challenge or cause delays in getting started because they didn't like that another team had procured penetration testing
when i moved into governance i saw obvious signs of turf wars during risk assessments when the security team would lament that security objectives were being sidelined for product delivery even when they were clear drivers the result was always the same though low risk acceptance with slow moving security programs a large highly risky security backlog with a prevalent shadow i.t problem the other threat that appears when talking about politics is vendor bias and this can be anyone providing goods and services including open source this threat takes many forms from consulting companies pushing products that aren't adequately matched to the company to organizations that swear by a particular vendor or hate a vendor to the point it becomes a detriment
it also takes the form of organizations refusing to buy a product because there are similar open source variations forgetting that you pay for this software in other ways and while there is some accountability required by the businesses seeking out vendors it can be very difficult to get unbiased information if you have a small or inexperienced security team and this is the same in consulting the outcome of vendor bias though is rational security decisions of being held hostage by forces that may not be fully articulated or even understood by the organization you may end up having to devote resources and budget to workarounds to get technology to match security requirements and security teams may deny themselves
the best solution because they've decided that they dislike the provider on personal grounds internally the organization may find itself behind the ball on skills and innovation by continually supporting vendors out of a sense of loyalty or animosity to the competitor rather than using sound business analysis which can be a difficult debt to pay now there isn't much hope for the neo-syrian empire turning things around at this point but for organizations now you can reduce the likelihood of these political threats manifesting in similar ways the first tool we're going to look at today can help you identify that political back and forth it's called the competing security cultures framework and it's like the name suggests it can
help explain the conflicts and competing priorities that often create security risk and failure especially those brought on by politics but don't be fooled it's not a cure all and the framework doesn't pretend to fully describe or explain every organization's security culture in every dimension it's a tool for learning and exploration so people working within the context of an organization's security culture can learn more about that culture assign terms and concepts to it and identify areas of risk that emerge when security priorities and values come into opposition with one another so in summary if the assyrian empire was a modern business we could see how their management style would have incited turf wars as management looked to serve their
own goals by looking at how they left newly occupied territories unmanaged we can see how this would have encouraged smaller teams to make biased vendor decisions leaving their own teams under skilled and looking after impractical security tools and also likely resigning in droves i also think there would have been a massive shadow i.t problem as smaller teams work to maintain efficiency with small budgets and little oversight but for you though the competing security cultures framework can be used to help identify these cultural issues by providing you with the ability to describe and interpret the different ways that politics is impacting the security culture in the next section we're going to look at some of the success achieved by
another empire and what a highly reliable culture can look like and how you can identify similar qualities in your own organization by contrast to the assyrian empire the romans succeeded for nearly 1700 years and while it eventually collapsed when constantinople was taken by the ottoman turks rome's republican institutions left an enduring legacy influencing the city's state republics of the medieval period as well as early democratic republics the roman empire evolved from ancient rome and was founded in 27 bc we're in southern europe now where the roman empire has continuous territories throughout europe north africa and the middle east so let's take a look at what distinguished them from the assyrians and what tool we can use to make sure
our organization thrives like the roman empire once did i like to call rome a high reliability empire they maintain complex social structures and political structures with a constitution detailed laws and elected officials such as senators however unlike other empires of the time it wasn't as top heavy and they instead deferred to people who were closest to the issues of the time which helped by increased social mobility the roman army was also known for their sensitivity to operational activities working to balance the political outcomes of the empire a process of diplomacy backed by the threat of military action and their military engagement in order to defeat the enemy in the modern day though organizations that embody similar qualities are called
high reliability organizations and while they have less reliance on military presence they have continued to adapt to the dangerous and hostile environments that they operate in the qualities possessed by these types of businesses can be grouped into five principles that explain the qualities seen in the roman empire but also distinguish normal businesses to these highly reliable ones the first principle is the preoccupation with failure in most organizations failure is considered a universally bad thing and it should be avoided at all costs in highly reliable organizations there's actually a drive to identify these failures at all costs and as early as possible using small failure as a tool that can be used to allow to avoid larger
disasters like the roman empire there is also a reluctance to simplify but it's not to be mistaken with complex is good high reliability organizations maintain a healthy respect for the complexity and unpredictability of their environment and seek complicated answers backed by observation and data and like the romans military there is a sensitivity to operate operate operations high reliability organizations put equal emphasis on the tactical requirements that make strategy work and leaders don't just do the vision thing leaving everyone else to hammer out the details instead they focus on gathering data and knowledge from a variety of sources to make the links between strategy and operations what drives their success you'll also see in highly reliable
organizations a commitment to resilience and that's because they'll know that they'll experience failure at some point and instead of worrying they'll put time and effort into imagining how that failure will occur and what they should do when it arrives these highly reliable organizations also demonstrate the ability to defer to experts hierarchies are important to highly reliable organizations but not when they hinder people so instead they focus on skills and judgment of people who are closest to the systems in question to gather data and feedback which helps form their strategies and this brings us to the second tool for today the security force behavioral model which measures the qualities we just discussed and maps them back onto
your security program allowing the business to transform a typical security program into a highly reliable version of itself this transformation can help businesses reduce the number of large security failures and improve recovery time from failure but a high reliability security program isn't a label that the security team puts on itself it's something that it does it's very similar to duck typing if it looks like a duck walks like a duck quacks like a duck and has the dna of a duck it's a duck this model just defines what it means to be a highly reliable duck so there are two parts of the model the first is a survey that can help you assess whether or not employees not just
the security team believe that the organization has a highly reliable security program the survey is made up of 25 statements divided into five sections each representing a value that we just discussed respondents are asked to state their level of agreement with each statement from strongly agreed to strongly disagree like the competing security cultures framework it is a generalist tool so it's flexible in its application and how results can be charted and because highly reliable security programs aren't organizations aren't in organizations where security is both highly centralized and isolated if you are using this survey it's really important to cast the net wide to make sure you get a good mix of opinions the second tool is a set of measures for
each of these values it's made so that you can gather data regarding how well you actually embody the behaviors in practice the metrics measure things like the number of security failure scenarios developed in the past year the average time to organization decision from idea inception to idea execution and the number of security related training opportunities provided to people and so on these metrics are designed to assess highly reliable security program related traits and compare them over time so when they're charted the metrics will tell a story of behavioural change and artifact creation providing empirical evidence that the organization is actually changing behavior rather than creating artificial artifacts to tick a box or please an auditor
i had a long think about this and i decided that if the roman empire was a modern business it would be a story very similar to that of codespaces who offered developers source code repositories and project management services using git or subversion they'd been operating with great success for seven years and had no shortage of customers but in 2014 they had their amazon elastic compute cloud control panel breached and ultimately destroyed by hackers and so much like the roman empire where they embodied high reliability and success in some ways when you take away being adept at failure or protect practicing the value of resilience it's easy to see a once thriving empire topple overnight because high reliability security
programs are less about how organizations succeed at security and at the core it's really about how they fail at it in very particular ways and under very specific circumstances so you'll notice that a majority of security programs even very mature ones will often find capabilities as strained when it comes to failure because they rely on being robust and never having to experience that failure unlike the roman empire though you have the security force survey and metrics to drive change in habits and behaviors adopting new ones that will make large failures less likely and to help your team respond better so far we've explored how the assyrian empire fell because of politics while the roman empire had limited success
because they embodied only some of the qualities of a high reliability empire so now we're back in the modern day and the empire we're actually going to look at now is yours and we're going to look at what the future could hold if security threats go unchecked and how we can identify them before it's too late i'll make a safe assumption that because we're at a security conference most of you have had some sort of interaction with security in some way whether that be with security engineers governance and risk teams or security consultants you might even be the security person or make up a larger security team so as we go through this section i want
you to analyze how security decisions you've been a part of have been made or how decisions you've seen been made have been handled and see if you can see these threats lurking in the background now the security culture collapsologists can't be sure how successful your organization will be because the nature of collapsology tends to be retrospective but we can heed their warnings and try and avoid a similar fate we can do this by understanding how employees at your organization view the security culture and look to explore this territory identify threats and treat them to ensure that your security empire stands the test of time one of the most common and threatening logistical threats i've observed is
incompatible outcomes and i say it's one of the most threatening because it regards strategy for example how bring your own device is introduced or managed or how organizations migrate to the cloud or introduce new features into their product when strategy is managed properly by involving people closest to the problem there's a mutual understanding and respect for opinions and the threat of incompatible outcomes can be largely mitigated but when product delivery isn't properly balanced with security and privacy controls especially when imbued with political emotional and psychological threats they can grow into serious security issues promoting shadow i.t encouraging people to circumvent security controls there'll also be a lack of accountability and lots of finger pointing when things go wrong
and not even large technology companies are immune to this as we can see when apple looked to induce introduce client-side media scanning which concerned a lot of security and privacy experts while slack attempted to roll out its private message anyone feature that was quickly rolled back over privacy and harassment concerns in your organization though this can be the sales team promising clients new features without consultation or engineers rolling out features without security or privacy sign off and it's a very common and ubiquitous problem it's also seen internally when governance teams enforce controls and employ employees without any regard for their impact on workflow which results in users relying on shadow i.t to get the job done
this threat degrades businesses to the point of creating a sense of false choice where every concession to the business is seen as a loss for security and every security initiative is seen as a blow to business efficiency instead of being treated as joint outcomes that can bring value to everyone when properly managed but logistical threats aren't the only ones we need to worry about because we also have emotional threats specifically fear uncertainty and doubt which i think is something that resonates with a lot of people right now when working as a consultant it was common to have clients call about the latest security news cycle whether it be the solarwinds supply chain breach a principal vulnerability or the
exploitation of public remote desktop services to ransomware businesses the media's ability to spread fear uncertainty and doubt is ubiquitous and it can have a major impact on the businesses ability to establish and deliver a long-term cybersecurity strategy especially when it's captured leadership's attention and so it's not to say businesses shouldn't address certain risks as they become public but it's not an effective way to run a whole program and each risk needs to be weighed up and if needed the roadmap adapted so while it seems attractive to point to the rising cost of security breaches as evidence we need to spend every moment and every dollar on improving security it is an incompatible outcome with running an effective business because
features won't ship and it will be easy for a competitor to start providing better service fear and uncertainty can also be an excuse for security teams to say no to every piece of innovation driving engineers to circumvent security to get new ideas off the ground so if these emotions are allowed to rule it can make unreasonable security decisions seem perfectly valid and justified which can make managing security on a daily basis a lot harder the last threat we're going to look at is a psychological one and it's a big one with lots of dimensions it's bias it can be introduced by generation education geography or culture not only at an organization level but also at a
national one and each takes a particular way to resolve and the jurassic causes can become more apparent when leaders aren't sufficiently managing differences in how people process information interact with technology learn and approach their own knowledge gaps a really common example is in communication style which can be exacerbated by culture gender role or education we also see these differences discussed in how we as an industry write job descriptions blog posts and engage people in discussion generally with a lot of domain specific words and with a very heavy sense of contempt which can limit who can be included but also who feels included and we can't forget the impact that the dunning-kruger effect can have when
someone starts to overstep their knowledge and offer up advice on areas they know little to nothing about the threat posed by bias can be a difficult one to resolve especially if people aren't willing to acknowledge their own and management is complicit in encouraging it but we have one more tool up our sleeve to help us chart these threats the security culture diagnostic survey it provides a means of visualizing the tension between information security stakeholders priorities and the values that exist in every organization and maps back onto the competing security cultures framework we discussed at the start keep in mind like a lot of cultural based things i can't tell you how to read the results and the survey isn't
going to tell you what's going right or wrong because culture is a very relative and contextual thing but it will help you understand how cultures can co-function and collide the survey is made up of ten questions each with four responses that align to the four quadrants of the competing security cultures framework with questions corresponding to key organizational activities that influence and are influenced by norms and behaviors central to information security culture but when you go through these questions you will notice that most of them don't actually mention security specifically and that's deliberate security culture is not is about how hidden assumptions under the surface influence how we do our job not how the security team looks at security
and so the response choices allow the respondent to differentiate between the relative importance of stability and standardization external validation and review adaptability and freedom of choice and a sense of shared community and responsibility when grafton overlaid with the competing cultures framework you can see what perception looks like compared to reality the thing that i love about this survey is that it's so versatile and depending on how the results are charted you can see so many different stories being told to the right you can see how the results of an organization-wide survey can be mapped onto a radar graph to show which factors people see as the most prevalent and where there might be room for
improvement in this last section we looked into the future and saw how unmanaged logistical emotional and psychological threats can manifest and what outcome they result in with logistical threats impacting how people interact and craft strategy emotional threats defining how we assess emerging security vulnerabilities and handle them on a day-to-day basis and psychological threats affecting every aspect of how we interact with people around us and can encourage group think but the security collapsologists have armed us with a tool that can help us identify these things in the form of the security cultures diagnostic survey which asks respondents to express how they seek key security operations balanced by the business giving us an opportunity to map out the present and
plan for the future we've talked about a lot of different tools and what they can do to help us but how do they fit in all together the culture framework and survey gives us a top-down view of the security culture allowing us to orient ourselves amongst the organization's values and assumptions it tells us areas of competition and cultural risk it allows security leadership to look at where the organization currently is and decide if directional change is needed but it won't tell you how to make these changes because there is no one way and using methods that work for one organization can have a devastating effect on yours in comparison the security force behavioral model is designed to provide
a bottom-up perspective analyzing how security behaves in practice and influences how this translates to group-based values the behavioral analysis is important because as an organization you can't redefine your security culture by only changing behaviors you also need to understand those drivers at the same time you need to have some idea of what behaviors to look at and improve if you're ever going to know whether transformation is going to be successful or not and this consistent cycle between culture and behavior is at the heart of the relationship between the competing security cultures framework and the security force behavioural model influencing culture requires a lot of work to get right and as they say rome wasn't built in a day or by one person
depending on the state of the existing culture there could be a lot of work and there might even be pushback from your co-workers who value the status quo or managers who benefit from existing power imbalances so if you're the primary advocate in an unhealthy culture it may not be possible for you to change much and that's not a failing on you before starting it's important to make sure you have the capacity to manage those internal and external expectations and to set firm boundaries about what is and isn't possible once you're ready to take on the job of influencing cultural change i challenge you to go and talk to your engineers developers and designers about what
problems they see with security don't argue don't justify just listen focus on their needs and critically analyze how security is impacting them and start monitoring that informally at first in most cases i've seen security often loses out in decisions when the decision makers are far removed from people who are actually responsible for security and so part of the job in running this project is to bring decision makers back into the fold to help get buy-in to a project like this and once you have that you can start to measure and analyze the security culture to a level where you know enough about it and how it works to make changes that will stick and that you can demonstrate
have stuck culture requires someone to look around and identify those behaviors and threats that have beard witness to the rise and fall of empires and it's these things that undermine every decision we make without knowing it it's the reason management protocols like rdp end up on the internet and even on the good days within the best companies these factors are still a massive force when it which is why culture is still one of the biggest threats that will face the security industry it'll persist regardless of code analysis firewalls and third-party assessments i'm buffy this is collapsology and why your biggest threat is an exposed rdp thank you and have an amazing conference hello besides perth i'm era buffer
overflow or buffy for short today i'll be walking you through three different societies exploring their successes [Applause] today i'll be walking you through three different societies exploring their successes
okay okay so for our people watching the stream you are going to enjoy a talk by evil d talking about his recreation of the pager from the movie hackers so enjoy that we'll cut over to that now for everybody here in the theater
put in a newspaper for hacking an iot fridge i purchased random aliexpress stuff uh and break it more often than not and hello b-sides perth uh that's my talk today on uh making my version of the pager from hackers1995 um assuming someone's messed up the schedule and i've just somehow slipped in here uh in case you don't know who i am i'm uh evil diamond you've probably seen me around from doing the log picking stuff i'm an asc a bug crowd i was um put in a newspaper for hacking an iot fridge i purchased random aliexpress stuff uh and break it more often than not and i'm in the running for the do not get
arrested challenge 2021. anyway let's get on to the topic at hand what is this this is the pager from hacker's 1995. if you haven't seen the film i do recommend it it's a great film um now every one of them has a pager except for joey no one knows why joey doesn't have a pager all the elite hackers do even the plague who's not even a part of the crew but just yeah joey's just a [ __ ] nerd so let's have a look what are they using each one of them is using a non-functioning version of the motorola advisor what they did was they put a plastic screen inside of it that covered the
actual cover for it and they painted over it they just sprayed painted over gave it a little bit of um a little bit of a rough up except for kate libby's kate libby uses a motorola bravo exchange which is your standard belt clip style one really nice do recommend now these ones are pog sag so pretty well known protocol basically you can use it to transmit large data source large distances for this data source has four buttons for directions two buttons for a response so yes or no an lcd display with two rows for alphanumeric and one symbol row uh that's only in the version though from well the movie hackers the original version doesn't actually
have that it has a four column display which includes the symbols as well but it looks really cool and i want one so let's try and buy one and just hack it right yeah these are slightly expensive these days turns out a lot of people like the movie hackers from 1995 and i don't want to spend 75 bucks plus more for shipping so we're hackers let's build our own and thus begins the downfall this is what i affectionately refer to as the how to burn a lot of money learn about a global chip shortage and lose six months of your life but what did i want to build that was the big question well i know how to write
some embedded c for arduinos like i'm just going to whack it into an esp32 that's a pretty standard chip you'll find them all around i was going to go grab one but i realized i don't have one directly behind me all of them are in the actual versions it runs a 2004 character display now these are cheap as chips you can buy them pretty much anywhere they're on aliexpress most of the ones you see are 16 by fours that means 16 characters long by two rows wide this one's just 20 characters by four because i want to get that cool lots of text and then i want to have the real grand central hack the planet
you need some sort of battery system for it so i was originally going to go lipo but i decided on 18650 in this version you'll find out why as we can move on two buttons to move between messages because why would i want to add a response and maybe if we have the ability to move into laura because you know the original real hackers wouldn't want to just like have ones running on wi-fi constantly so i built a little proof of concept i bought a 2004 character display came with a little spi converter all the documentation with this stuff says you must use 5 volts it runs leds on the back and majorly affects the contrast
but the thing is if you crank up the contrast at 3.3 volts it works fine there's no issue there it's crazy the only one i found was a weird version in the sunrio displays where it's a negative character light you can't actually read it if it's at 3.3 volts i used an esp32 dev board just because i don't want to be using the baked on chip at the moment i just want to whack it together see if it works and guess what i put some dodgy code together bam works like that absolute charm beauty chef kiss all around now this code was pretty pretty premature it was just more let's pull the text file from the server
display it centered make it look cool the cool one is the status set notes because i couldn't write text you can write a binary for each individual character that you want to display so you get five by eight for the characters and you can just write zeros and ones in a byte and then you can draw a super two like i have here for the power it's just an 18650 these are really easy to buy most of the time you'll find them in vapes and such like they're very cheap um the way they work is they output at 3.7 volts continuously they don't drop down in voltage they can be charged pretty easily and in
this case i use something called a tp4056 if you've heard about these they're in every single and i mean this every singles charge circuit if you want to charge a lipo this is like the bread and butter you can buy these little cheap ones like this everywhere i bought these for less than five cents each and then we use the buck boost converter also known as a dc to dc boost converter these do some magic with some cool stuff that's way beyond my knowledge and convert low voltages to high voltages with a pretty good efficiency usually about 90 so that's how we're going to power for the poc and you can see looks pretty good
it's working and i'm getting power it doesn't need to be plugged in sweet we've got our proof of concept working what's next let's make a pcb well pcbs are hard and i'm dumb this is where a good friend of mine echo comes in they just i went hey i want to do a thing and they're like sweet let's do this and help me right through the schematic i could do some basics they just took my work and went yeah let's make this good convert it from boost converter to a buck boost converter because the way it works is a boost converter only allows you to output in a linear scale so you if you decrease the voltage on
your one side it decreases on the other a buck boost keeps the output voltage the same which is what we need we don't want our voltage fluctuating and that gave me the ability to add liposupport to this and we got the first revision this was ready at least we thought it was it was dead on arrival for every single version of these there were two chips missing on the boards which we had to replace with um yeah somewhat working connections and the charge circuit worked but like really didn't charge lipos well but the problem is we came into revision 2 and there's a global chip shortage if you don't know about this this has been
the most infuriating time for anyone who works in electronics basically ever since the dark times that we don't talk about everyone and their mother wants electronics and silicon wafer chips are impossible to buy and most of the adult components are also impossible to buy all the prices for the components that we used went up by ridiculous pricing and we got regular lead times that were 52 weeks so a year a year for a component to arrive well i guess i'm going to use the poc then just strap all our cables together then so we scratched off pcb the future problem let's focus on something more fun a case design because you probably don't want to be
touching electronics with your ruby hands you know how do we do it injection molding is the most common way for cases but it's expensive if you want to do injection molding the molds themselves cost quite a bit of money cardboard is cool but i don't really feel like cutting up a lot of boxes and giving them to people and going hey here's your cardboard box but 3d printing this is on the cusp we can do this so i bought a cheap 3d printer of aliexpress and i built a lot of revisions and i mean a lot i have a bin full of pla plastic that needs to be recycled we got 10 revisions and the total size was those six pieces
that you need to print and it would work there were 20 failed prints now all we need to do is just print it right look at that absolute beauty chef kiss all around you can even see we've got one right here i've turned it off to save battery and that's cool we got one working now you notice this one's in a different color we'll get to why in a second the problem is my printer carked it i cracked the extruder which is apparently a very common issue with this exact version of printer called the ender 3 v2 and it wasn't coming out well you can see in the picture there that that spot there is actually supposed to be filled
with filament but because it was printing like this it wasn't extruding that filament and it couldn't build up the layers so where we left off remember all those dead prints yeah i do as well so i whacked him together we hacked him up and we got something a little bit like this where the case is held together beautifully with some beautiful beautiful electronics tape now i also sent some people some designs if they want to make their own that's fine sadly my printer won't so we crossed that one off and we're left with expansions sadly we're going to have to move on to this in another day i want to add laura support to this this
would be nice to have just an actual pager style solution i want to get the two buttons actually functioning and not just sitting there looking cool i want to fix the code to let it do async so i can actually do multiple things on here get it working off lipo batteries so we can actually make this less of a chunk boy and a real pcb that works without 52-week lead times now sadly i can't answer all your questions because this is a recording
[Music]
[Music]
[Music]
[Music] [Music]
[Music] [Music]
[Music] [Music]
[Music] [Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
ah keep on finding vulnerabilities before they find you
on finding vulnerabilities before they find you
hello and thank you all for joining my b-sides perth session on stranger danger finding the ones before they find you i'd like to begin by acknowledging the traditional owners of the lands that we which we meet today including a special heartfelt acknowledgement to the wagonja people who are the traditional owners here in narrowmind i'm going to open with a disclaimer gasps i didn't see the asterisks on the talk no i'm joking um one of the things i always love doing at the start of my talks is i always start with a tech joke because it's important that we always keep smiling particularly in current times this is an open source joke so please feel free to well share
it any way that you want why did the vulnerability get tired because it ran somewhere ah get it hello um so my name is developer steve i'm one of the senior developer advocates here at sneak and i've been a developer advocate or developer evangelist for a number of years now one of the things i love most is just being able to geek out with community folks well all over the world but just in general on a variety of topics from iot to well security to coding to infrastructure as a developer a long time developer and i've been developing for a number of years now it's just one of the one of the things i love the most
in particular um sort of talking or or talking dealing with or contributing to open source uh projects which is always one of my favorites well like i said i've been developing for a number of years now actually been coding since the age of eight q basic europe but i've been um also spent some time in digital agency building up campaign sites as a cto building out a payments platform um and even sort of building out iot projects or spending time as well i spent time as an analyst for 10 years one of the things i love most about building out code projects or building out applications is for the end users that i built those
applications for as a developer as a devops as an alter or all-round geek really but one of the things i enjoy the most about that is just building out some sort of experience that means a much easier flow of day or bring something to my end users lives in so many different ways if you think a shopping app or some type of entertainment app or a social networking app that just brings people together as devs as technology people we basically build these applications out to make our users lives just that little bit more easier interesting or connected one of the things i've always been mindful of building out applications through any number of different industry
types digital agency for example is when i'm deploying something just what else is being deployed with it even inadvertently if you think of the holistic app stack view as an iceberg the code that we deploy is basically that little bit at the top that's sticking above the water above the surface of the water but inside that there can be hidden things inside dependencies inside libraries the vulnerabilities if you will that expose our holistic iceberg stack application stack to the wider internet and to malicious actors uh across the interwebs it's no surprise that the there's an exponential there's quite a growth across the open source ecosystems as an adopter as a glo as a lifelong learner of open source
stuff that's the the thing i love the most is how the ecosystems are always constantly growing constantly learning and constantly building out new methodologies new techniques new libraries but with that also comes vulnerabilities being surfaced which we also see in exponential growth across the wider ecosystem or across the ecosystem set if you will so and that's no surprise particularly as new attack vectors are being constantly identified and that new vulnerabilities are being surfaced and indeed new techniques for identifying vulnerabilities being surfaced consistently if we look at the different ecosystem types something we notice is an emergence of different how different vulnerability types are being surfaced in particular ecosystems if you take npm for example eighty percent of the vulnerabilities
that are identified through open source library use is through indirect dependencies so i install a particular library which in turn pulls in a multiple of other dependency libraries which is where the vulnerability type surface and there's a number of examples that we see in the wider industry ongoingly where a particular malicious dependency is injected into a popular library type which is then dispersed across the holistic ecosystem as updates or as installs happen indeed we've seen npm put out alerts before for particular uh package dependency types and how what sort of effect that that's had on the holistic ecosystem and i just want to take a moment there too to recognize that these open source communities do amazing work i'm a big
fan and advocate of a lot of the communities and the work that they do but more often these are communities run by volunteers so they need our help as technology adopters as to technology folks just to help help with identifying not only of threats but also potential fixes there's sometimes a time delay between the initial security alert being raised against a particular library or community project before that is uh not only identified but then also fixed patched and then a release candidate goes out so um just wanted to take a moment to mention that um always where possible particularly if you're using something contribute back where you can't i know you all do i just like pointing it out
one of the ways we do that at sneak is through a program called sneak advisor which not only allows developers and technology adopters to be able to do some due diligence on the community and on the package in particular if there's any open vulnerability types or if um how quickly uh the vulnerability identified vulnerabilities through cve reporting gets mitigated get fixed and you know patches rolled out but also we work where possible we work with the community groups to be able to help get those patches underway and get those fixes in place we also help manage the node.js ecosystem vulnerability disclosure program as well and shout out to security researchers that help contribute to this and we'll just help
keep our end users safe which is what it's all about anyway i have some examples to run through i have an example i'm going to run through actually i do have a whole bunch of these i can put links in actually while i'm doing this talk it's a bit better anyway let's let's hack it up so this first one is a demo app a javascript demo app that we have on the sneak github it's a goof app it's it's a basic to-do app which is we use to demonstrate the vulnerability types that we're talking about inside one of the libraries one of the things i always love pointing out is as the 62 known vulnerability
types in this particular demo which is why this is you can try this at home but this is not for production local only um if you did want to try this at home there's an exploits folder already in the repo which goes through a whole bunch of different vulnerability types but we're just looking at one today so and the one we're looking at is a cross-site scripting attack um it's cross-site scripting vulnerability which is using the marked package and anything between versions 0.3.1 and 0.3.6 are well they're basically vulnerable one of the things i love the most particularly from the developer side of things is being able to dig around at the code level and understand the
fundamentals of the vulnerability more which there's all these great links to the the github pull requests and such that as you can see here you can dig into it some more and even see the initial report and then how long until the fix went out or if there's one still pending so you can do some testing on it anyway let's have a look at the app so like i said this is a basic to-do app and as a user or as an end user i can basically input a list of items that i can check off or delete or whatever else the marked library which we're using 0.3.5 as you can see there on the
package.json we yeah we're using 0.3.5 essentially what it does it's a it takes user input from that that input box and then outputs that or stores that as markdown so add basic markdown stuff one of the things you can also see here is when we call the library and you can set a sanitized true flag which is super important i mean that should be set to default by all that should be set to true by default right because we always sanitize user input uh what the sanitization tries to do as part of the user input is well it tries to sanitize it by a series of regexes and a series of match statements to try and determine if
the user input is something we wouldn't want to see stored because it can make the make the stored input vulnerable for the end user so this is a markdown so let's give it a spin this is a bold oops bold statement yes it is this is a bold step one of the things we can do with markdown of course is links so we can do something like that for example which is just standard markdown link and if i hover over it if i click that now it would take me to the place that i thought would think that it was going to take me one of the common xss attack vectors is using javascript wrapped inside a link
particularly when the stored user input is being resurfaced back to the user's browser session this is important because uh well knowing that this is an the way that most xss attacks happen because this is one of the vulnerability types that oh wasp talks about where one of the common vulnerability types that basically allows all sorts of malicious behavior to happen particularly in the user's browser doing all sorts of nazi things with cookie sessions and whatever else so injecting javascript is something that we would hope that sanitization is going to stop and indeed when i click that when i enter that you can see that it's stripped out well one of the other common ways to get
around this is to url encode character sets so doing something very similar but we're going to url some characters to try and get around that sanitization function and so if i enter that now again same thing it's able to identify it and it's stripping it out the way to get around this particular um library sanitization what the the vulnerability is is by including a object type in or javascript object type like this means that the characters aren't matched and therefore isn't removed so if i enter that one you can see that that's actually been accepted and if i click that now i get an alert box that pops up and i've basically gotten around the sanitization
cleansing which is our vulnerability type one of the other demos i'm not going to do it today but i did want to did want to highlight it oh it's going to make me log in i did want to highlight it is we've also got this available in java and a few other languages as well this particular app so if you want to play with some of these yourselves please please do so local environments or development environments only um but don't take these production but i know you won't i just wanted to mention anyway let's switch back to the slides so as developers again it's important why is technology people it's important that we help to protect those end users
that we build these applications for and then we build out and support our technologies for because again if you think back to that holistic stack view we want to do some due diligence first to make sure we know we're letting into our stacks and just taking the time to make sure we keep people nice and safe and secure of course now we have a whole bunch of really cool scalable technologies that add to our holistic iceberg view stack allowing not only some elasticity to be built in but also we can add in all sorts of cool things like redundancies and whatever else essentially our applications now become way more than our code because we can also control and
guide infrastructure as part of our deployments if you take docker for example there's been over 242 billion downloads from docker hub to date which is phenomenal and as like as dev as a devops as a devsecops this just means that i can build out applications in my own containerized local environment and then deploy them and have them else elasticity elastically build out as i need them to but it's no surprise that we also see the same vulnerabilities uh appearing in known docker base images consistently also given that they're built from the same open source components that we've just been talking about consistently year after year we see the top 10 docker base images basically carry the same vulnerabilities with them
one of the things i always love to keep in mind with this is with great containerization comes great responsibility and keeping your application clean at the code front is just one step of that holistic iceberg view to protecting those end users the last part of our iceberg is infrastructure is code where we also get to do some really cool automation stuff and i love automation i'm not a lazy dev or a lazy devops i just love it when automation works first time and i'm always looking at you jenkins anyway one of the things i love most about iac is just being able to set up some nice gate controls so that as i deploy my
application it can go through some automated checks before it finally gets deployed of course it's always important to remember to make sure your consistently reviewing and checking not only those gate controls but also the files that you de you're delivering and building this infrastructure out with as well because consistently we see as the infrastructure continually updates or continually goes through that whole industry maturing we also see new vulnerabilities surface in the form of configuration vector issues so it's always important to make sure you're constantly reviewing those and checking those as well but we miss something most important the most important part well at least part of the most important part this one actually kind of scares me a
lot given well i haven't developed like a local development environment don't we all but we're also seeing the same vulnerabilities now start to surface in developer environments as well or dev environments which i mean that's the plate but like people need to leave that alone that's my place where i build things um what we're seeing now is particularly with the likes of homebrew and also vs code is a lot of the extensions and add-ons for those particular ecosystems are built from the same open source components that we're seeing these vulnerabilities surface in so the likes of latex workshop open in default browser and instant markdown for example we see vulnerabilities like file traversals which are now starting to
create surface vulnerabilities in dev environments instant markdown which i've got the link for on the on the screen well it's on my github as well there's a demo to walking through how to how to basically play with or demo that particular vulnerability if you do install that particular version of the s code uh sorry the instant markdown please make sure you upgrade to the latest version because that version don't leave that one installed by any means please don't that particular version's vulnerability basically gives a remote attacker to be able to access your password file or basically any file on your mac so yeah just please be aware of the vulnerabilities that are now starting to surface in your dev
environments as well because we're consistently saying this is an ongoing issue homebrew actually put a a blog post out about this back in it was april or may saying that there was some vulnerabilities being surfaced so please be aware of what you're installing anyway final takeaways always be scanning source code containers infrastructure just take the time do some due diligence protect those end users because well we love them so much that's why we built the things that we built again please be aware of what you're installing in your local dev environments um they're we're seeing this is sort of a growing attack vector now and all sorts of nasty things are starting to creep in so particularly if
you do do install something locally you just brew and store the thing and you're not using it just brew and uninstall that thing that you're not using just remember to clean up your dove environment where you can as well and lastly uh please use your text superpowers for good always remember i do love that gif um and always remember to be excellent to each other thank you very much super powers for good always remember i do love that gift um and always remember to be excellent to each other thank you very much
cool thank you developer steve uh now we've got arya who's a uwa student and pen tester and their talk is on a script for so just fun sure your mark's turning on hello test test can anyone hear me okay uh the off screen officers for fun just quick disclaimer this discusses a hobby project the views expressed in this presentation are my own and are not of my employees but that being said
is that working um still going out to youtube yep it's probably my hdmi oh yeah it could be give me a second it's the adapter yeah yeah yeah it should be fine whoa cool uh whoa not above food
i thought you checked the hdmi so my 4g
yep no worries okay this works cool just just lovely change your screen to that sharing um thing oh no no we're good very good okay cool well that's what that definitely wasn't awkward don't you love linux everyone uh yeah the office kind of javascript fun this is a hobby project um these are my own opinions my own views uh who am i i am of a void pointer that's my nickname as you will i'm ari wadhana i'm a second year student at eurovise studying computer science i worked in infosec on and off since 2019 shout outs to trustwave perth for taking in a literal child my interests are reverse engineering uh cryptography and recently i began being
interested in threat intelligence um nothing too big i haven't caught any apts yet it's more like small fish but hey do what you can do so first let's talk about obfuscation it's very much an arms race it's very much cats and mouse game and what i mean by that well just to illustrate with a hypothetical analogy let's say an office gaming tool releases a new feature it could be a slightly sweet way of obfuscating strings how control flow works etc etc the attacker has fun they go run the ransomware they do their campaign but blue team does not have fun because the german the office generally not has to define signatures how do they detect it and then how do they transform
it to recover the original code right you know detection could be possibly fragile there are edge cases that you cannot possibly cover um the transformation could be slightly broken in different ways and unless you have some sort of formal verification thing you can't exactly know for sure so again blue team doesn't have fun and keep in mind that the office gaming tool can somehow break this process the whole detection and transformation in a future update just by slightly tweaking something or moving to a different entirely different method blue team still doesn't have fun so uh i'd like to point everyone out to um these this are all the debug scripts anybody familiar with audio debug
yes uh debugging tool these are scripts meant to um unpack help you unpack and dump vm protected binary so that's binary obfuscation and notice how it's different for each version even for the same functionality so this is what i mean it's very much a catamount game blue team versus red team or malicious attacker story um with the obfuscating artifacts that being said uh the topic of this talk will be javascript author skater so this is the description pull from the github it's a powerful free application for javascript containing a variety of features which provide protection for your source code it is and there's some things i like to get out of the way it is not a minifier
in the sense of oh remove white space remove new lines rename some variables and compress the code a tiny bit it goes far further than that it's not what i like to call shrink wrap protection in the sense of um it's an encoded uh sort of string encrypted string encoded string this would be base64 aes xor but at the interval it's passed to eval right you could easily replace that eval with console.log and recover the original source code anyways and thankfully it is not by code it's not a virtual machine with a javascript runtime executing instructions one by one right so i don't have to write the compiler thankfully it is source to source it is a transpiler
it directly modifies the source code using the abstract syntax tree if anybody's familiar with that to make semantic transformations and it also injects code replaces code to obfuscate things and if anybody remembers earlier versions of javascript office creators i would like to also add it's more nowadays it's more than just a string array at the start and a bunch of indexes at the end of it all they actually do have anti-debugging code that just breaks reverse engineering essentially breaks your chrome's devtools breaks most interpreters essentially and it is also extremely customizable so this is just from the web gui right you can choose your target you can set the c so it's nice and deterministic um you
can choose which strings to uh how often you like your strings to be obfuscated which strings you'd like to exclude which variables you would like to exclude from obfuscation uh there's domain lock so you can you know tie your script to run specifically on on a certain website uh there's dead code injections it's all bunch of like buttons levers and switches so i like to go to a demo really quick whoa oh all right never mind clear right so let's go with a simple hello world hello world single liner very nice uh and then this is the config that i have set up and this is very much the console there's all the features enabled there's
a domain lock to uh there it redirects to google.com if it's the condition that is inside of us satisfy and we can just run javascript obfuscator just a single line hello.js pass in my config there and then we should output with a hello obfuscated yep there it is and another thing we can do is just take a look at it essentially so hello obfuscated.js that's a bunch of stuff that is a bunch of stuff all right no white space no new lines no line breaks right like it's really hard to read all right stop that uh but hey we can we have js beautifier right so no worries we just passed that in
all right so it's replaced is um putifying in place lovely so surely it's more readable right no uh like huge stringer right there but hey look you know some white space it's slightly more readable i suppose yeah this isn't gonna work so why do we care why do we infrastruct people care so javascript can be obfuscated to highland back well consider this uh first point windows script host wscript.exe it executes javascript in a windows environment much like a vbs script and this has been used in variants of image sets where maldoc drops a javascript file is executed and that javascript files pulls in the ransomware drops it and executes it right so this is from research at in hp.com
right really giving up ebates analysis of this javascript downloader or dropper if you will there's your qr code right there if you like to have read up on that and i would like to point out they use the exact the malicious actors these the exact same obfuscators that we're trying to look at right you know resembles that of an open source github project called javascript obfuscator now the thing malicious npm packages so there's a bunch of malicious packages this follows nicely from the previous talk regarding dependency attacks software supply chain attacks but you can do lots of things with uh npm packages with malicious javascript uh executed easy node you can steal tokens uh there's
remote access through instances of remote access trojans where it's just like a reverse shell so one example one familiar one famous example is this the fall guys malware it tries to oh this is a api to the fall guys game which is a viral fed and really it just stole your browser's local storage install your access api tokens your session keys et cetera et cetera so another qr code there and also malicious browser scripts so think phishing pages or even just skimming scripts run on legitimate websites so these would be run for example with skimming scripts these could be run on legitimate websites with compromise somehow through script includes through dependency injection whatever and this would be run at payment processing
pages so customer types in their credit card details their full name their address whatever and then this script would silently exfiltrate it to another domain and obfuscation is particularly useful here because you they would want to hide those attacker control domains where they accelerate to so that there's more time that the host is actually up before the hosting provider gets a complaint uh yeah mage card that targeted the magento uh e-commerce platform by written by adobe i believe magekard isn't actually one group it's a bunch of groups that attack magento essentially but there's a bunch of instances of mage charge melissa's attacks and this is a particularly recent one actually this month zero day export code and yes
surprisingly written in javascript there was a recent remote code execution in microsoft office which leveraged ms html and javascript which essentially included downloaded the cap file which contained a dll which was actually a cobalt strike beacon and bad things happen from there but yeah like you know zero days in javascript weird like even with microsoft like i believe it's a single click remote code execution too so that's pretty interesting and i would also like to point out this is the exact same obfuscator that they used so like the strings there the decoder function i'll go in more detail there but if you're familiar with javascript obviously you would recognize that as a javascript obscure um script
there so this is in the wild this was exploited by malicious actors and this is the exact same artifact that was found for better or for worse javascript is everywhere malicious actors know this and they can leverage this and this is something that blues team should consider and counteract with and contract the tools with so how does javascript actually uh obscure actually work it's a bunch of magic that's actually a bunch of passes right so they traverse the code and if it finds some things it changes so there's a bunch of passes here control for flattening that code injection debug protection the domain lock i mentioned earlier you can disable the console output you can
obfuscate numbers constants the string array which is particularly important soft fending which essentially breaks the interpreter if it has a bunch of white space and simplifying which i believe just like compacts the code slightly more and makes it harder to read and it does this by traversing the ast it parses the code traverse the asd modifies the ast make semantic transformations to change how the code works it adds code in the case of the bug protection or that coding check injection and generally just change just how the code works just a quick rundown i'm not going to run through all of the passes but i'm just going to run through more particularly significant ones this is
the string array so this affects most strings you can you can tweak how often this happens but at the top there is an array that's all of the strings that will be encrypted encoded etc etc and then immediately after that defined it's rotated and it's not rotated by a immediately visible amount right it actually iteratively does it until it satisfies a condition so if this integer uh can we is this an integer at this index uh multiplied by that other integer and that's equal to a constant okay then we're done after that it defines um decryption functions surprisingly there's multiple description functions you can specify whether you like your strings to be encrypted using base64 rc4 or both
um [Music] and then with after those description functions there are sort of wrapper functions which sort of hinder sort of the obfuscation because you would have to first identify the decryption function but after that you know not all instances of stroke obfuscation you immediately use that decryption function you have to actually find the wrappers and then resolve those also another path i would like to go through is control for flattening so sequential statements there one two three four five uh with control for flattening there's a tape right um we sort of direct like in what order should code be executed three five two one four and then it iterates through that tape and has a switch case switch case
statement so because number one is the fourth one it does the fourth thing because number two is the third element in the tape it does the third thing et cetera et cetera so you can imagine how this would a slow down code but also be deter analysis because you have to recover the control flow and last but not least uh this is that code injection that code injection is particularly interesting it's just basically an if else statement so that's the original thing just do your thing do thing but then you can turn it into an if statement that always evaluates to one thing so if false then and the first statement is fake the second statement is do thing it's always
going to execute new thing but false is particularly obvious so you can obfuscate the condition by something like this a b c d equals d b c d a that's always false that's always going to be evaluated as false and hence the l statement is going to be executed all right this is still kind of obvious but you can imagine with the previous string array passes the string array obfuscation it could end up with something like this so there's a local object there's three keys and values being defined and those keys are obfuscated i just left them as is just make it easier to understand but you can see uh index into local objects using an
obfuscated string and then with that return function call that function with two more things from the local object again obfuscated by the string observation and that would always equate to false but from an immediate glance you wouldn't even realize that all right so that's code injection for you so it's very nice that it's all open source right so our best engineer can like me can just jump in and then just undo stuff instantially but these were just a few passes that were in javascript obfuscator i had to go through and essentially process every single feature this took a couple of weeks but eventually i got with up with this tool be up a couple of thousand lines of
javascript there it's my first uh ever node.js project right i've written like little snippets of javascript before but i've never actually gone out and written stuff in with node.js it's a source decompiler because i was too afraid to the obfuscate binaries i created in 2019 as a side project in between unit work and also works on it between exams which is very smart thing of me to do and it's used by myself against phishing pages malicious scripts etc and potentially i'll look towards supporting other obfuscators besides jobs of obfuscator in the future there's the github link there also same as the qr code stars comments issues always appreciated all right just quick demo one day i got
a discord message anybody familiar with this chord anybody familiar with this chord harry's of show hands anybody not familiar with this chord okay good i don't have to explain it but day i got a phishing message one day i got a message from a friend i haven't talked to in ages and they suddenly came up with this and discarded nitro disco premium i want that everyone wants that and it's for free so i definitely hopped on it and logged in and did things that but that qr code there is url scan and urlscan.io is a particularly useful service you can just pass in url and it just scans it for malware it shows you domain
and ip address and more particularly it can show you what files are loaded what's executed in javascript so there's a bunch of javascript files here but what's this broad.js so let's go into that nah it's javascript applicator nice so we can go into my um thing here and let's do broad.js so that's my tool there then target javascript obfuscator and then though that they obscure that file you can pass that into less and a bunch of things come up uh you can see some text falls billing information full name card number ccg card expiry et cetera et cetera and you can see the where it's being extracted to that is a web hook also hosted on the
discord platform uh but yeah there's a bunch of uh things here that's very useful for taking stopping this activities uh so that's the qr code if you want to have a chart for yourself that's the qr code to the url scan result not the actual phishing page it's actually down nowadays but here's another success for how i save the world from evil cameras and how you can too uh so monday i came across a paypal phishing campaign um uh you know asked for first name last name etc pass that into your scandal io and using the file name listing that from before like i showed you i came across uh this file m1.js and obviously this javascript obfuscator
but you know there's your there's your string array up there there's your rotation function you know the push shift um there's your string decryption function it's obviously javascript obfuscator two parts so we can just quickly whoa whoa uh so dot dot slash m whoa uh m1.js so that's the file from before hopefully this works hey so it's nice and it's obfuscated and then there's a couple of ajax call requests so what's happening here uh the two ajax posts call requests the first one is to the where the fishing page is being hosted that's obvious but what's the second link here here's what i think is happening so fission kits like becks explain there's authored and somebody else runs it
here's what i think is happening that's a back door that's the domain controlled by the author and because the code is obfuscated the guy running it doesn't actually know that the the credentials that they fished is being swiped under their feet and they would know because it's obfuscated and if they remove that code nothing works because that's where the post requested their domain is being made so i got that link got their autonomous system and filed an abuse report they taken down i believe their response turned around time was like 24 hours and just to rub salt in the wound i also went to their domain registrar and reported that so they can't pivot to
another hosting provider so you know that domain is gone hopefully there's less credentials being exposed to less bad people and that's it questions feedback [Applause]
[Applause] questions
the way i detected it was very much by eyeball i haven't written i planned to write a specific tool for easy detection not quite so much the obfuscation so that it's nice and quick so so that say a sock can look look at it raise an alert and then triage it but yeah all the things that i did to detect off-screen javascript is very much about eyeball i guess you could sort by file size i guess you could sort by uh weird behavior but that's pretty much it
of the office case automatically so that's what i tried to demonstrate using the demo with the discord phishing page using the paypal vision page also so it's all automatically the op sorry yep yeah it's on github so uh this slide is up here up with no here so there's the link there github.com and there's your qr code there so that's a github link sorry any other questions yes how many kind of legitimate businesses do you see uh i work for a large e-commerce platform and we see a lot of like anybody who deals with marketing this is a nightmare and uh you know we have you know vendors
well there is a difference between like um minify like i explained a minifi just like just so that everything runs over has to be faster so just so like the javascript is compiled and it's way smaller the obfuscation it's more to reverse engineering so you could see so there are legitimate purposes for obfuscation like this you know you know nike for example they have a bunch of sneaker bots trying and like sculptors trying to target this so obviously they want obfuscation on their checkout page for example and same goes for like airline tickets or hotel uh rooms etc etc and also there are concerns around like scraping right like you don't want anybody to scrape your
data so obviously you obscure how you fetch that and you obfuscate how you process that cool all right thanks aria thank you uh that is it for the in-person session the lunch should be here any moment uh if you'd like to stay and watch the talk that was supposed to be first on the schedule yesterday that will be playing here and out to youtube as well uh but please don't bring food in here that's it all right thanks [Applause]
hey everyone um this is cracking android pins at b-sides per 2021 and i'm andrew horton although some of you will know me as urban adventurer so i live in melbourne but i'm actually a kiwi from new zealand uh i grew up in christchurch um so i like to write security tools and i've written a few um there's walt web which is a web application fingerprinting scanner um i originally wrote that about 10 years ago and ended up in backtrack linux and then still in kali in the default distro um it's quite quite good uh with a good open source following url crazy is a domain name typo tool um that ended up with kali as well uh this being
ip to host using anarchy look i've written a lot of security tools because um it's kind of a hobby and i'm currently the ceo of domain defender and that involves retenting pin testing but and i work with a variety of infosys companies in australia and the united states and our clients are global and i wear a lot of different hats um so i'm not just a hacker okay so shout out to all my hacker friends you know who you are so today i'm going to teach you how to crack pins on android phones so
why i did this research uh soon after i got back from traveling around the world um last year someone's father died and they asked me to help because they had his phone but didn't have his pin number and they knew there will be photos and other important things on there that they needed access to so i said i'd help now my goal was to unlock the samsung galaxy s5 so i could look up when it was manufactured 2014 i thought okay okay this one's kind of old how hard can it be but i didn't know what version of android it would be running now i knew when this was first produced it'd be 4.4.2 but
i had no idea what kind of updates have been made since now that code you can see down the bottom that's the information that i got from the usb connection so as an expert with about 20 years in information security i turned to google just like anyone else would and i typed in how to unlock the samsung x1 and [Music] there's a variety of different approaches so i started off by trying to get some pins and i referred to the research data genetics did back in 2012 they're an early data science company and to try and get some publicity they did a study of common pin numbers um produced this table of the top 20
and created some nice visualizations of the pen numbers and so on now this went um into the media cycle got reported on all around the world with the scary alarming claim that 26 percent of all passwords could be guessed with just 20 numbers but i'm not really sure i believe that because this data actually came from password database doms and what that is is that that's databases of names and passwords that were leaked someone hacked into a website stole all the names and passwords and then just linked them out onto the internet and so they went through these legs they pulled out the numeric passwords and they said okay one two three four is most common
that may not directly translate to people's mobile phones well i hope not so no didn't work now in the movies um people can crack saves or they can guess pen numbers by researching a person and learning their birthday or their children's birthdays um so i did the same thing i asked the family for all the dates um birthdays anniversaries um all the old phone numbers as well to see if the pen could be the last four digits of the of a phone number either current or past and i tried a number of phone words and a phone word is a number that's made up of letters that are shown on the numeric keypad for example
under our ideas under two there's abc 3df and so on anyway it didn't work and then i had to look at google's find my device feature but that didn't work because i didn't have access to his google account well not at that time i later figured out after i've managed to unlock the phone and it that would work on android 7.11 okay so samsung also have a find my mobile service and that can unlock a phone but here's the problem um he had never registered his phone with this server so no didn't work so i had a look into a particular vulnerability that would crash the samsung lock screen and i remember when this came out and
there are a lot of videos of people demonstrating it um you could do this all just by using the phone normally you see what would happen is there was a buffer overflow vulnerability in the password field on the lock screen and someone could um fill up the copy paste buffer and and make it larger and larger and larger and then paste it into the password field when it was so large that it would overflow the memory that was allocated for that data and it would just crash the lock screen out and if you can cross crash the lock screen app um then it's the same as unlocking the phone just beneath it is the regular
android operating system and the usual unlocks phones so no that didn't work it only works if a password is set not a pin now one of the other common pieces of advice on how to unlock a phone is to connect that phone using something called adb and what happens here is someone connects their computer to a phone with a usb cable but it only works if they have enabled something called usb debugging on the phone and your average everyday phone user is not going to do that the only people who do that are people who want to experiment with installing a custom rom on their phone for example uh let's say they don't like the stock samsung samsung rom
they want to change it customize it make it look cooler then they could install a rom like lineage os uh formerly known as cyanomod gin and even i have installed this on a phone but that's just for for technical users computer nerds it doesn't work for your average person okay so what about this phone hacking or modern community and the center of that community is xda forums so i had a look around and i found this this guide on how to hack or bypass the password on android and it had seven different methods but each one of those methods required either usb debugging be enabled or a recovery bootloader be installed and whether the phone whether the android
operating system had been rooted or not didn't matter um it was optional and as you know routing is the android equivalent of the iphone jailbreak so even these phone mod experts said if none of these methods works for you unfortunately you probably must fully wipe your device so no okay here we are at the factory reset and that's what a lot of people have to do but if i did this then i would lose access to any of the potential photos on the device so it wouldn't work for me and i noticed while i was searching that there were ads for commercial software and they promised they promised to remove all kinds of screen lock types
and that it could work on different phones so i checked some reviews and some people seemed happy with it and this doctor phoned by wondershare claimed to even support the samsung s5 so i paid for it i bought it and it was kind of a scam because the way this worked was it would guide me through the process i had already been through i mean it would tell me exactly what to do step by step though and that may be useful for some people but it didn't have any special ability to remove the screen lock time nope nope that was a waste of 40 dollars and then i looked into the forensic software for the mobile market
i caught up a good friend of mine who has led incident response teams and done a lot of forensics work unfortunately he hadn't really done a lot with mobile but we talked about the big names um celebrate oxygen and so on and i did manage to get a hold of a trial version of oxygen from 2012 sure it was old but it worked i installed it and i set it up and went through the process and um it won't emit into the pen to unlock it you see it wouldn't actually um wouldn't actually crack the pen sure it could image the device and find forensic data but only if you could already unlock them so
i thought wow what if i could get a hold of a celebrate unit celebrate being the big name in the forensic tools well well it's on ebay now normally it's just law enforcement that has this time in border crossings and then other kinds of security but these things are kind of expensive um new and then the second-hand market on ebay for the older ones can kind of make it a bit more affordable i looked into this and i seriously considered buying one for about a thousand australian at the time but i knew it was going to take a long time to be delivered especially from the united states with all the delays due to the coronavirus
pandemic so i kept this as a possible backup plan but i wanted something that would be a bit faster so then i looked at the public security research that had been done into samsung's i found a collection of known vulnerabilities issues that had been fixed already and in some cases there was exploit code for these but generally if there was information about it the information was sketchy uh they didn't give you enough information just to go and reproduce the vulnerability yourself without doing a bit of research and in addition to that it's a locked phone so i couldn't even click on a link if i send myself one but i had some some ideas um what i could do
was i could monitor the wi-fi ssid probes that the phone was sending out to see what um wi-fi access point names it wanted to connect to then i could provide those and have it connect to my wifi and then from there i could look at the network traffic it was sending and if i was lucky i could i would find something that was unencrypted that i could intercept and modify and maybe i could deliver something that would explode a vulnerability and give me access to the phone but that was a lot of maybes and it could be a lot of work so i thought nope i'll move on and look for something else and then i remembered hang on
the usb rubber ducky from hack five now hack five they make all our favorite hacking electronics um and i used to have a usb rubber ducky unfortunately i i sort of had ended up losing all my hacking electronics um that had left in australia while i was traveling around the world a couple of years ago anyway this would have been perfect sure it looks like a usb drive but it's not it's actually a tiny little sort of micro controller that emulates a keyboard and can send various keyboard based payloads and in the teammate x5 they had set one up so that it would send pin numbers and let's have a look at that let's test it out
so all right so with our phone turned on i'm just going to go ahead and plug in the duck and it's going to wait about five seconds before it starts doing its magic we put that delay in there and that's just to make sure that it doesn't like immediately start flooding the computer with stuff and there we go we can see the last digit when it gets to the end because we are typing pretty quickly and we went through zero zero zero zero through zero zero zero three we'll get to zero zero zero four and we've now done five attempts it's gonna hit enter twice remember and we're going to speed this up right now so you don't have to wait the full
30 seconds and zero zero zero five zero zero zero six zero zero zero seven zero zero zero eight and hey would you look at that
so that would have been perfect but well i mean i thought it would have been perfect at the time i later realized that would not quite have worked and i didn't want to buy a new rubber ducky and wait an unknown amount of time for delivery so i thought okay should i give up order some hardware maybe i could order an arduino um right the rubber ducky it's a microcontroller platform that's easy to program and it can emulate a keyboard or buy rubber ducky or buy the celebrate unit yeah but i didn't want to wait i mean who knows how long it would have taken with all those oz post delays anyway there was a potential backup plan so i
moved on but you know what i did have i had a one plus one phone and that is the flagship model to put kylie nick hunter onto and as you know kali linux is the main premier platform for penetration testing under linux and nethunter is the the phone version of that so it's a phone packed full of hacking tools metasploit um all your favorites and it included something called duck hunter and duck hunter uh would take a rubber ducky script and then it would um it would emulate the keyboard it would execute that script and it would send over cable any keyboard strokes you want now most of the scripts were designed to take over your computer
take over your windows computer your osx your mac book uh your linux server whatever it would execute commands that would try and maybe download something off the internet uh executed and passed commanded the computer to someone else cool so i tested this out it seemed to work fine it would seem thanks to my computer so i i loaded up the hack five pin brute force script the thing that would send 001 000 to enter and so on but it didn't work just nothing happened um the dot hunter app just just sat there didn't respond because it was thousands and thousands of lines long it was huge you see first it would send the number they don't seem to enter
then they would repeat that for five and then it would have a longer delay and then it would do it again and it just didn't work but it should have worked and the magic ingredient the the approach that i knew would work at this time was that if you just take a keyboard and you plug it into one of the on the go cable adapters and then plug that into your phone you can just type away and it's just the same as pushing the numbers on the screen and that's how the rubber ducky worked yeah so i had an on-the-go cable i tested it out yeah i knew it was gonna work so i thought okay
i'm just gonna have to do it myself i'm gonna have to write my own code to to brute force these pin numbers so my plan was simple i i just looked into how to emulate the keyboard with the near hunter phone i wrote my own shell script it would send five pins at a time then wait 30 seconds and repeat and this is what the samsung s5 would do every time you get 5 wrong makes you wait for 30 seconds and then while it was running i would just watch the phone you know while watching tv or having dinner or whatever and eventually it unlocked so to go through the full 10 000 would have
taken 16.7 hours back to that but instead it would do a series and then the phone would um run out of battery and then i would charge it up and then restart it having a rough idea of where it finished based on the logs because this the script would detect when the when the phone um uh ran out of battery so after it finally unlocked i looked down and it was unlocked for wow this worked i went back and tried the last 15 minutes worth of pins watching it closely until i had the pen look right it's done and i could have stopped there but instead i tied it up the code i documented how it worked
um added some emojis to make it look cool and i put it on github to share it with everybody else and and this is what i meant so i based the interface on some recent tooling i've seen like um cube control from kubernetes and i liked the way it had you know a handful of main commands followed by different options so yeah let me show you how it works on the left we have my one plus one uh with charlie net hunter it's running the script and on the right we have a samsung s7 that i bought on ebay and it was cheaper because it had a cracked screen and i put duct tape over the cracks and all the
correct glass and you can see that after the fifth attempt they waited for 30 seconds then it kept going
and then after the 10th attempt it calls down for 60 seconds of course we sped it up a little bit in this video
and then after 11 attempts it's 300 seconds or five minutes to wait
and then it unlocks just like that and you might ask well how long does this cstf7 take to unlock that keeps getting wrong passwords and um yeah it takes a while but for some people that's worth it they won't mind taking weeks or months so you want to unlock a phone too well what do you need you need a locked phone you need an android phone capable of running kali net hunter now it doesn't have to be fully capable like the wi-fi injection drivers and things don't need to be compatible just the usb hid module needs to work you need the the usb on the go cable they're easy to buy and finally you need the android pin
brute force script so why what are the benefits well mainly it uses another phone to hack the phone and it's totally configurable you can change the timings and the keys and because it's open source you can contribute to and extend it it doesn't need usb debugging enabled or for adb to be set up you don't need to have rooted the android phone you don't need to buy special hardware or six devices and finally it actually works okay so i've i've added a lot of features more than just these but it can handle pens of different lengths not just four uh it comes with different configuration files already set up for popular phones there are optimized pin lists so the
pens are in order of their popularity it bypasses pop-ups that can appear on the phone that may interrupt your brute force password guessing it detects when the victim or the locked phone is unplugged or powers down and like i say you can figure it and then it's good so go to my github and you can download it from here now i first put it on github while i was working on it um last year and i didn't really promote it i didn't speak about it at any other conferences this is the first time i've really spoken about this tool but people have found it then they've clicked star with 1.6 k stars it sort of tells me
that this is something that people are interested in so if you want to install and these are the steps that i took they worked for me you may want to install it in a different way but first grab the source code repo from github enable xsh on your new type of phone check the ip address xsh into a terminal on your phone from your laptop and then transfer it using scp into the slash sd card folder and once you've transferred all the files in there to execute it you can't just chmod and dot slasher instead um you need to type bash space and the script name so that works and the reason for that is
because slash sd card is actually mounted no execute and you'll be asking yourself is this going to work with the phone in my bottom drawer that's just been gathering dust over the years and i want you to go home and try it and tell me um first you can check if it's already in the phone database in the wiki and the version of android doesn't really seem to matter this has worked successfully with versions 6 through to 10. so on the wiki you can see some of these have been tested by me some have been tested by our vlad over a vancouver and some would be tested by some other other people
and there's also a list of phones that people have tested and they had no luck with but if you have this phone please test it anyway because your mileage may vary
now how did i make the optimized premise well for the four digit pens um i took this from a def con talk uh by justine engler and paul lyons on the electromagnetic pen cracking with the the robot anyway so these guys for their research had generated this list of optimized prints ordered by the frequency of the popularity of the pen and i reached out to them and asked if i could use it and distribute it with my tool and they said yes yes that's cool um so thanks and then i sort of repeated that process i used the gas pack database leak it's like a mega leak of password databases that have been hacked and leaked out onto the internet
and from this i extracted 139k roughly of fully numeric passwords so the password somebody had chosen for some random website including adobe and linkedin in myspace and rocky and all those ones they had the links the password was completely numbers and out of those i extracted that were three five and six digits and i sorted them by a frequency and then any they did an api just just filled them in at the end so to use um the tool to generate uh sorry to crack a pen it's not four digits use dash dash link that's a command line option i think three or six or five and if you enter a link that doesn't have an
optimized list it'll still work but it'll just go in order like 001 002 03 and so on and if you do research yourself and have a good idea of what the pen might be you can make your own customized pin list you can pass that to the tool with the dash panelist option but but what if you know it starts with a one or it ends in a nine you can use something called a mask and a mask um uses regular expressions in this case the dot acts as a wild card so a dot in that first second and third position means any number will be accepted but the nine and the last position means
only sem pins end at nine or maybe you know it's either a four or a five well you can put a set of allowed numbers between these square brackets and that'll that'll limit which pins it will bother us into the phone now these are the conflict files that come with um android pen brute force the samsung galaxy s5 config is the first i made um and the others are some made by me some made by others and each of them have slightly different timings and keys that are sent now this is the default config file and as you can see it's kind of self-documenting as you're editing the file you can see what all the variables mean and how to use
them and you can see how you can change the keys that are sent before each pin in this case the sending escape enter will bring up the pin prompt and enter a center friction you can change the keyboard device you can change the log files you can change a lot probably the most tricky part is customizing the progressive cooldown and you can see in this table how that translates to these three array variables here so after one attempt you get five attempts until you cool down for 30 seconds after the 11th attempt um there's one more call down then for 30 seconds after the 41st attempt one will cool down until then you're 60 seconds so it just slows right down and
then it it keeps being one minute between the tenths okay so if you want to send keys well you can test that it's working um with this usb keyboard app that you can find on the net hunter store it's really easy it's um it has a nice gui you don't have to go to the terminal for it but if you do want to go to the terminal you can send keys using the slash system x-men slash hid dash keyboard command in this case slash df slash hid g0 is the um uh is the keyboard um but it could be hid g1 now people often ask me what about iphones well this approach should work with an
iphone three or four but i don't have one to test with um because there's some hardware devices that support pen cracking up to ios version 4.8x after that they don't support it when is the gray key device that uses a different technique now i do have a usb otg lightning adapter so if you want i can help you test it
now how do you emulate a keyboard if you need hunter anyway well this can't be done from a laptop it can be done from a phone though and the reason for that is the bi-directional usb ports and android uses a linux kernel and there's a linux kernel module for human interface devices now this um creates the slash dev slash head g file and then um using the test gadget code that was created for linux kernel and is available on their website you can you can test them in case another problem sorry and okay this is a problem this is a problem that in 2021 this is possible people have been brute forcing passwords for a very very long
time and android security itself isn't really that bad but the lock screens are made by the handset manufacturers not by google who look after android security so it's the motorola's the lg's the samsungs and so on who have who have made this problem um people also ask about whether devices will wipe themselves sure that option is available but most people don't enable it and then the progressive lockdowns well it's not always going to help if people are willing to wait okay so what's next for this tool i've got the roadmap on the github page and i do plan to implement this for ios and 4.x at some point um and then it will work on all the
iphones and ipads even and people don't just protect their android phones with pins a lot of people use patterns now cracking patterns isn't as easy as just sending you know the keys one through nine and zero two to actually crack or enter a pattern on the phone through an otg cable you need a mouse now fortunately um the linux kernel website outlines not just how to emulate a keyboard but also how to emulate a mouse and a joystick so through mouse emulation i will be able to to simulate moving the cursor clicking and dragging away an unlocked pattern but that is work that's yet to be done now another really big one that i that i did mention before is i
didn't know when the phone had actually unlocked i just looked down saw that it was unlocked and then had to go back and repeat the pins that i tried a way to solve that would be to have some kind of camera watching it now i could use the front camera or an android phone i could place it on the screen of the locked phone and it could detect when the colors change because the the average color of the lock screen should be different from the unlocked uh android os and then finally it'd be great to develop a nice gui something that's a bit easier to use for everyone okay so what about contributions well um
i really like it when people reach out to me or they open issues so um i've had a lot of people reach out and ask me about specific phones and i've worked with them over time trying to tell them to see what
to see what keys are being recognized by the phone and in some cases people are going out they're buying otg cables and then they're plugging in keyboards and they're just trying them out and that's great in other cases people are just kind of trying different things by sending keys and they're typing these commands on their hunter phones slowly and then trying to figure it out that way and it'll be pretty hard um but i can't do this without the community um because i just don't have that many phones now with a vlad it was great he contacted me and we spent quite a bit of time talking and i sort of tried to help him on
uh guide him through his self-educating of mobile forensics and android security so vlad had access to the cyber forensic slab in vancouver which had a lot of phones in it and some of these phones were test phones and other phones were actually for cases so the police had got this phone um as evidence in a case and had just been sitting around on the shelf and it had never been unlocked and even though he did have some commercial tools um the expensive ones that are meant to work they didn't work on some of these older phones but he thought the android pen brute force would so that's what he that was his main motivation so
what about the ethical implications well kim thompson um back in 1988 said that the act of breaking into a computer system has to be the same social stigma as breaking into a neighbor's house and it should not matter the neighbor stores unlocked well i really like this quote because it opens the door for ethical breaking in and you might ask well who would use this ethically well first of all people who need to break into their own home or people who survive um a person who's passed away law enforcement need it and of course consultants people like us we we need to be able to hack into phone's term so thank you for listening to my talk um
please go to my github project page click the star um and please also go to morningstarsecurity.com slash news for all your favorite it security news sources i've got them all there on one page in a big aggregator book market and finally please reach out to me if you are one of these people that has an old phone sitting in that desk drawer that you've just forgotten about for years um i would be interested to know if it works or not or if we can work together to make a conflict file for your phone that does work okay thank you and yeah please ask me any questions on discord thanks
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music]
[Music] [Music]
[Music] do [Music]
[Music]
[Music]
okay everyone thanks for joining us back here again we're going to go over to ian dixon's talk now on how to build your own sock
and good day to besides perth my name's ian dixon um firstly i'd like to acknowledge that i'm hosting this talk from the traditional plans of the none of war people and pay my respect to elders both past and present but thank you guys for having me look unfortunately i can't be with you because as you can probably tell i'm in canberra and i'm stuck at home which is why you can see the mess that is my house behind me um but look i've been really excited to speak to besides perth again um i came down in 2019 and this that i'm presenting today as a result of some work that i've been doing over the
last couple of a couple of years i'm really keen to share that with you all um firstly i will say apologies if you see dogs running through the background although i'm sure apologies aren't needed um they are a bonus shall we say for your work today but uh let's get started so my talk today is based around building security operations capabilities now you'll notice i didn't say security operation centers although the two things are explicitly linked um it is something that will debate a little bit very shortly about the difference between uh well the definition essentially of what a security operations center is but um sure click the right screen this is going to get me um so what will i be
covering today so essentially we're going to do a bit of a definition of our terms what is the security operations capability or a security operations center and then we're going to be talking about what are some of the in what is the most important question you need to start with so you could ask any question um and we'll give you a bit of a scenario but what is the most important question and then once we've talked about that we're going to start talking about well what do you do after you've answered that question and then the final piece and the piece that i want to spend the most amount of time on is providing my experience on some
really clear gotchas so things that you don't necessarily think of um but that can really trip you up depending on what you're trying to build the key point here is they're not technical gotchas so there are the they're primarily about people and process but um technically you should generally be fine um building a sock from a technical perspective has some difficulties but uh it's the people in the process piece that can trip you up now um what makes me qualified to know about stocks and i try and include this and um as you can see from the diagram on the right um i'm not quite up to 20 years in iot in cyber security but um based on
the color of my hair and the color of their hair i'm getting there um but basically i've spent 10 years of my uh my life and 13 years in it and 10 years in cyber security and i've had a range of positions um so i've been a researcher and a research engineer at the australian department of defense i've also been the assistant director for cyber threat intelligence capability at the uh the department of defense um that's where my experiences from my previous talk around cyber threat intelligence came from i then transitioned to private industry and became a scummy contractor and became the security operations center lead at leidos australia for one of our customers and most recently i've actually been
this chief cyber architect of a sock program for lido so building a sock from the ground up and that's where my experience was part of where my experiences come from currently i am a full spectrum cyber lead for lightest australia i sit duluth the cto and my job is to help support programs and projects and developing their capabilities and and developing what i call cyber excellence so being the best that they can within the realm of cyber security um as a little footnote yes i'm also the founder of comfycon iu we ran two conferences last year as a result of uh of uh covert cancelling a number of conversation conferences we're probably not gonna do one for the
rest of the year unless shannon gets me drunk or nige gets me drunk um but uh what's the space and we'll be looking at doing one again in the future and of course the traditional disclaimer this presentation does not represent the views of my employer nor am i going to talk about any of the secret source sorry so let's get started off what is a security operations capability and this is a definition from wikipedia um but it's actually from a piece of research that was aimed at defining what a sock is and i've highlighted a couple of pieces here i won't read it out because hopefully everyone can can read but um essentially a centralized unit so the
idea behind having a sock is it's a central group of people it is bringing together of a number of disparate capabilities into a single i wouldn't say necessarily physical location but in terms of an organizational construct they're there to deal with security issues on an organizational technical level so they're not there just to find incidents and resolve them and remediate them they're also there to help support the organization and its goals for cyber security that could be through governance and compliance that could be through engineering that could be through a whole range of different things the three main building blocks and you've heard me mention this before and i i will keep harping on about them
three-man building blocks people process technology without one of those building blocks or with a deficiency in one of those building blocks the capability isn't going to be as effective as it could be finally it's for managing and enhancing that organizational security posture a sock is ever evolving a sock or a security operations capability is always there to to improve to learn lessons to make sure that they can take the next threat the next change i should point out at this stage there was going to be a competition between myself and cairo regarding puns however it turns out i actually don't know that many puns when it comes to socks so i'm going to be trying to take the uh the crown of most
memes in a presentation but i'm sure somebody else will build me uh beat me sorry so a sock based on that definition can include a wide range of different things it's it's not just what you might traditionally think is uh you know an incident response capability but it can include a threat intelligence capability to make sense of what's happening in the external world but also to bring together the internal campaign information and make sense of it they can also be the interface to the rest of the organization through a governance risk and compliance function whether that be through um you know something like an iso 27001 construct or an information security manual construct it's providing that
organizational policy and framework engineering and architectures is definitely something i see in there both internally facing i.e making sure that the tools that are developed for the sock to enable the soccer there but also to ensure that the patterns and the security architectures for the rest of the organization are developed in consultation with the operators the people who are going to be actually defending those systems vulnerability management and penetration testing i don't think you'll find much argument from many people on those the interesting one is itsm and the reason i bring that up is itsm or itil or whatever you know framework siam let's throw a whole bunch of buzzwords in here is the interface to the rest of the it
business and so a sock needs to operate within that it doesn't necessarily have to follow itsm or itil but you need to make sure that you understand that when you want to go talk to another area would that be the area that runs endpoints or the area that runs this computing infrastructure they will use itil or itsm and that is the language that you need to talk to and really once you get to that point um everything is driven by the organizational requirements no sock is like any other sock you basically build your sock using a combination of the lego bricks that you've gone above and many more in order to make sure that you get the
sock that fits your requirements so i said before what is the most important question to start with um and let's uh let's start with a bit of a scene so um this is not actually something that has happened um it's more likely that it's a client but uh imagine my boss has come to me um in the vein of uh i believe it's nico from grand theft auto and said hey icd hit me your boss make me a sock cool all right what the hell do i do uh and so i uh i wanted to ask a bit of a a bit of a group of people and what they thought and so um i did what everybody else does
as a thought leader or thought leader um i i put out a linkedin question and there was some interesting responses and share that first to um dwayne for this amazing response i don't quite think this is how you're supposed to use cyber insurance to be honest i think you're supposed to um yeah anyway um but uh there's some really good answers on that thread and i'm happy to share the link but essentially what i was trying to get at or what i was trying to understand is it's probably the next piece and there's some really good smart people on this list i highly encourage you if you're not already following them to to look at people like george who of
course is presenting uh andrew scully ed farrell or faz mickey's even pretty good as well for a vendor sorry mickey um but um why do you need a sock right your boss can come to you and say i need a sock but really fundamentally you need to understand why and the reason for that is a sock is not just some shiny thing that's going to make all your problems disappear um a security operations capability or a security operations center let's just say from now on we're going to use the word center builds upon existing capabilities that an organization has within security it's not just something you can build in 30 seconds with no budget and and make it
work it's something that needs to um be integrated into the business operations of the organization but um more more often than not what actually happens um i'll be well it's probably not more often than not but what most people see is uh is a bit of this um sizeo is probably the wrong title i'll admit it's probably more bored or ceo but uh you know you you hear about this sweet new sock and you go sweet i can have that and i can ignore potentially some of the basic cyber hygiene concepts that need to be implemented that's not the way it is you really need to build upon an existing strong foundation of cyber security to make your socks the most
effective it can be so understanding the why is really important for a number of reasons understanding the why gives you the direction you require to ensure that when you're building your sock with the building blocks that i talked about before you're including the right building blocks it also gives you a really good idea of what the prioritization from management is so some management are looking for you know we want to integrate incident response into our activities we want to have a strong governance risk and compliance function i'm not saying it's the right answer from them and this is where you will have to do stakeholder management and you know maybe a bit of managing upwards
or managing sideways if they're a client but it gives you this understanding and gives you that base level of knowledge that you need to be able to build moving forward it also gives you a bit of a rough idea on budget um now budget when it comes to security operations is a bit of a sore subject and there are a few gotchas around that that i'll be talking about later but uh all of these things and the fundamental question of why the business purpose what you are looking at doing will drive the actual implementation of a sock the other thing about it is having a clear understanding of language from the very beginning means that you understand
what your management is actually expecting so if your management is expecting purely an instant response capability then you know that that's what they want and you can build on that you can talk about the other requirements as well sorry which knows but if your management is expecting something that's more you know uh front intel or all those kind of capabilities again it gives you that understanding being able to understand what somebody wants is pretty important and the fact that sock has been such an overloaded term or it's such a misused term can cause a lot of these issues and so moving forward having that base level definition is almost your guiding principle i'm not saying it doesn't change but i'm saying
that it's the way in which you can then interact with your stakeholders to ensure that they know what you are building and that you're building to what they want and also if there are issues they can understand why there are issues so you've got the why sorry i've got a very itchy nose you've got the why well what do you do next well um i'm not gonna go into a huge amount of details because i really want to focus on those gotchas but essentially as i said before there are three or four main capabilities of an operations center and i covered three of these before but the other one's actually data so you need to make sure
that you have the visibility and the understanding of the organization for you to do the mission that you require on that organization there's no point doing instant response if you can't see end points or you can't see the network traffic like you can do it but it's very difficult so again the why question drives the things you require as part of that capability people is a really important part of that as well if you are building towards a governance risk and compliance function or a penetration testing function you focus your efforts on hiring those kinds of people one of the big works that i've been doing over the last couple of months is getting people to understand that a
cyber person is not interchangeable necessarily with another cyber person a really great example of documentation that helps you support that view is a thing called the nist nice documentation so national institute of standards and technology and i think it's the national initiative to cyber something and what that provides you is a list of job roles and the key experience areas and the key knowledge areas for those job roles then you can start saying i need this kind of person to fulfill this role now this is kind of straightforward for you and i the the people who are in this room who've done cyber security before it's getting again management or other uh areas that you have to convince
whether it be hr whether that be a client you know a client may ask for a sock but not actually understand what they're asking for to understand what that capability is broken into defining the processes is is a very key part as well and we're not just talking about the the incident response processes but we're also talking about you know how they interact with customers how they do knowledge management how they provide feedback when you know an architecture is received or how they interact with you know other areas of the business who are building capabilities all of these kind of processes are key and and and honestly those are the ones that i find that are missed the
most when people are building stuff you kind of assume that you'll make the processes up as you go or you rely on that really dangerous of things which is corporate knowledge and when i say corporate knowledge i don't mean in a wiki i mean in someone's head they become the most important person to the organization and then they leave so understanding processes is not just you know making sure you actually understand them but you have ways of updating them you have ways of recording them you have ways of building the lessons to learn into that and then as i said earlier the technical capability and tools piece to me is not a difficult problem um but maybe that's
because i'm primarily a technical person and i'm coming from that direction but um a sock is you have a pretty good understanding of what kind of tools you need to run a sock these days um you need some kind of scene you probably need some kind of case management tool ticketing systems are just not up to scratch anymore you need things like those basic endpoint protection capabilities and network protection capabilities if you're doing governance risk and compliance you probably want some kind of enterprise risk management product the the list here is endless and it's not really the focus but essentially when you've got the people the processes and the data that should drive the technical
capability and tools not the other way around i'm a great believer in the fact that your tools are picked based on what you're doing not the other way around and you know i have a habit of upsetting vendors when i say what's the business case for this actual tool like how does this actually help me not you know what does it do the other thing to keep in mind is probably a bit of information that i've shown before um in the not in this presentation i'm sorry it's cut off a little bit but it's understanding who your threats that are likely to target you are um you know a bit of threat modeling never really hurt anyone but it is a it
can be a difficult thing to do but if you're an organization that is you know looking to defend against tier 1 script kitties non-malicious actors maybe a bit of tier 2. you probably actually don't need a sock um you probably just need some some extra capabilities for detection you need someone monitoring those capabilities don't get me wrong but if we're talking about a full sock construct with a whole bunch of people and management it's probably not something you need but then again if you're saying that you're going to aim to defeat those tier 6 adversaries you're never going to have enough budget nor enough people to be able to do that um so it's a balancing act that helps
you again prioritize what you're looking for but also to quite honestly justify and and explain to your management or the customer that you can't defend against everything and that's a really important thing to start thinking in mind is the sock is going to let something through the goal that's not a question that's a statement um and being able to get people to understand that just because you have a sock doesn't mean the system is secure and nothing's going to get through i think uh people are starting to come on board with that now um there's been a lot of work when it comes to boards understanding this and management understanding this but it's still something that needs to be made really
crystal clear there is no single golden bullet it is about bringing everything together into a single cohesive capability which includes sock which includes cyber hygiene which includes architectures all those kind of things to provide that single capability for defending a system so i've spent a lot a lot of my time over the past couple of years building socks so um a variety of different customers small big big networks little networks different data and so there are some real things that can come up that can really change your solution or drive a certain direction um and so i really want to provide these to you guys to provide you some thoughts i'm not going to give you the answers
but it's things to make you think about if you're asked the question i want to build a sock what are some of the things what are some of the actual real problems that come up with actually building that sock and so the first one is about time frames um i've been asked in the past to build security operation centers in very very little amounts of time we're talking months the fact of the matter is no matter how much money you throw at a sock building a mature one is going to take time there is it's it's i can use the analogy of a fine wine or a smelly cheese it doesn't matter what environment you
put it in um it's just gonna take time and so there are a number of challenges when you're building in a new environment you're building a new sock that ultimately you can't just make them go away and so things like getting all the data you need and the visibility across the organization it's a huge challenge huge challenge making sure that your agents are installed across endpoints you go through the change management processes all those kind of things that are just i.t problems take time the default development and refinement of stops through use in anger and i'll talk a bit more about stops later sorry aren't you really itchy because they're having dogs who haven't turned up i'm sorry i'll
make sure they turn up at some point um development and refinement of stops no matter how well you write a sop until you use the sop it's useless you can write a perfect stop and then somebody will find an issue with it when they actually use it in anger and so you need to have that time to write the socks but also evaluate the socks review them conduct lessons learned all those kind of things the other part of it is you might write a soft and then not use it for months and months months or even years and so you really need to be able to have that capability to to build upon that moving
forward the other part of it is actually the traditional forming storming and norming of a team if you're bringing together a brand new capability with brand new people you may have a couple of people that are there to start with but you're building a new team or multiple teams and fans if you're including those building bricks and then teams within teams if you also want to bring in a shift roster structure as well um that is something that takes time to to work to an effective capability it's not something that you can get working on day one the other part of it is a soccer's never finished um as i said earlier socks take time to evolve you you find new
threats new technologies new ways of working all these kind of things the stock needs to always um evolve and so it's never finished you can never say you can never put a stake in the ground and say the sock is done we're not doing anything else with it and so the important thing around that that i will say is it's really important with management to have a realistic time frame and be very clear on what the definition of done is that's the term from agile i'm kind of stealing it now but the idea being you need to be clear with everyone what the expectations for day one of operations is now your expectation may be i just want
everyone to get in the environment and start looking at stuff like we may miss stuff from the start you know all these kind of things and again it's being clear about that so everyone is on the same page and knows that from day one you will not be effective because it's true you i don't know of a sock that on day one was the most effective that it could be unless you were taking a pre-existing team um and then applying it to a new customer for example but even then you you find new things and you evaluate new things the second gotcha hiring oh this is one that has caused me a lot of pain in the past
so your hiring location is going to be a significant factor in resourcing uh if you choose to build a sock in canberra city or melbourne a brand new one right now you're gonna have issues um and i know this because i've tried to build one recently the the problem the problem is is just finding the right people even if you're willing to invest in training even if you're willing to make sure that you provide the right salaries getting the right people is a very difficult thing to do right now because um you still need to have a mixture generally of junior staff and senior staff and and frankly the senior staff right now are just stretched very thinly
um this is also really intimately linked to a security clearance or any kind of other clearance whether that be an ato or you know working with children you know all these kind of little things that can come up in terms of a clearance of some kind um if you are hiring with one there'll be less people if you're not hiring with one you need to find make sure that you uh include that within your time frames because potentially that person will be employed by you but not able to work on tools for that period of time so um you know if they've if they require access to a classified system and they don't have the clearance they can't
touch that system the other important point that i'll say there is make sure you actually do market test your salaries and start off with reasonable figures if you go in with dumb amounts of money and when i say dumb amounts of money i mean low amounts of money you're not going to get anyone and you're just not going to get anywhere um again one of the personal plights i guess that i've been on recently is getting people to understand the value and i there is that i will say here there is a balance between the value that the person holds in themselves and a realistic value some people say that they're worth hundreds of thousands of
dollars and that's not a realistic amount of money but that's where the market testing co
Related talks
7:10:54
31:32
33:04
10:10:50
41:24
46:35